Application Security Lead Engineer (Remote Possible)
Santa Ana, California-Remote; Arizona-Remote; California-Remote; Illinois-Remote; Nevada-Remote; New Jersey-Remote; New York-Remote; Oregon-Remote; Texas-Remote; Washington-Remote; Minnesota-Remote;
Who We AreJoin a team that puts its People First! Since 1889, First American (NYSE: FAF) has held an unwavering belief in its people. They are passionate about what they do, and we are equally passionate about fostering an environment where all feel welcome, supported, and empowered to be innovative and reach their full potential. Our inclusive, people-first culture has earned our company numerous accolades, including being named to the Fortune 100 Best Companies to Work For® list for eight consecutive years. We have also earned awards as a best place to work for women, diversity and LGBTQ+ employees, and have been included on more than 50 regional best places to work lists. First American will always strive to be a great place to work, for all. For more information, please visit www.careers.firstam.com.
What We Do
As an Application Security Lead, you will be a key member of the Information Security group, leading a team responsible for our overall secure Software Development Life Cycle (SDLC) program. The successful candidate will be responsible for defining application security requirements and ensuring the delivery of secure applications and solutions. The Application Security program is designed to ensure that any software developed by our engineers meets our overall security goals to protect our data. The successful candidate will exhibit the skills of an experienced leader, with a disciplined approach to process. You will work with a group tasked with coordinating across many functional teams to ensure that our applications stay at the highest security level. In a dynamic rapidly growing organization, you will be required to be innovative and collaborative to be successful. Candidate must be comfortable working and communicating with executives and can work at a deep technical level with engineers.
What You'll Do:
- Conduct comprehensive security assessments of applications, systems, and networks to identify vulnerabilities, assess risks, and provide recommendations for enhancement.
- Collaborate closely with development and operations teams to integrate robust security practices into the software development lifecycle (SDLC) while ensuring compliance with stringent security requirements.
- Provides consultative leadership and implementation guidance for application teams in the areas of vulnerability remediation and mitigation.
- Develop and enforce secure coding practices, offering guidance to developers on coding best practices, security standards, and effective vulnerability remediation.
- Stay abreast of the latest threats, vulnerabilities, and industry best practices in application security. Proactively identify and mitigate potential risks.
- Monitor, investigate, and respond to security incidents, conducting in-depth root cause analyses, and be consulted on implementing corrective measures to prevent recurrence.
- Execute security testing, encompassing vulnerability scanning, penetration testing, and code review, to pinpoint and address security weaknesses.
- Collaborate with cross-functional teams to undertake threat modeling, risk assessments, and security architecture reviews for new applications and systems.
- Researches, identifies, and documents best practice methods and emerging technologies, evaluating applicability and feasibility to support key business processes and requirements. Manages optimal enterprise application security processes, standards, and technologies.
- Define, collect, and communicate application vulnerability metrics across all levels of the organization, utilizing the metrics to aid in analyzing the likelihood of emerging threats impacting the organization and identifying the weaknesses that could be potentially exploited
- Be consulted on incident response efforts, including the investigation, mitigation, and resolution of security incidents.
What You'll Bring
- A Bachelor's degree in Computer Science, Information Security, or a related field, or relevant working experience.
- A minimum of 5 years of experience in application security, including expertise in web application security, mobile application security, cloud security, and secure coding practices.
- A solid grasp of secure software development practices, encompassing threat modeling, risk assessment, and vulnerability management.
- Familiarity with pertinent industry standards and frameworks such as the OWASP Top Ten Project, NIST Cybersecurity Framework, and ISO/IEC 27001.
- Proficiency in handling security tools and technologies, including web application scanners, vulnerability scanners, penetration testing tools, SIEM systems, and Certified Application Security Engineer (CASE) certification.
- In-depth knowledge of common application security vulnerabilities, such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). The ability to provide guidance on effective mitigation strategies is essential.
- A strong understanding of network protocols, operating systems, and web technologies.
- Outstanding communication and interpersonal skills, with the capacity to effectively convey intricate security concepts to both technical and non-technical stakeholders.
- Certifications like Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and Certified Application Security Engineer (CASE) are highly regarded.
- Familiarity with generative AI coding solutions and a substantial technical software development background, enabling you to lead the team in adhering to software best practices.
- Proficiency in scanning code and effectively mitigating and remediating findings.
Pay Range: $96,180- $183,480 annual
This hiring range is a reasonable estimate of the base pay range for this position at the time of posting. Pay is based on a number of factors which may include job-related knowledge, skills, experience, business requirements and geographic location.