Application Security Manager - Remote

Location: Remote

Type: Full-Time

Department: Information Security

About Us

As the largest online distributor of restaurant supplies and equipment, WebstaurantStore, a Clark Associates company, hosts an expansive catalogue with over 430,000 products that are delivered through fast, dependable shipping, making us the internet's largest restaurant supplier. Our CAST (Clark Associates Security Team) is committed to maintaining the highest standards of security and integrity in all our applications and systems.

Job Overview

We are seeking a Hands-On Application Security Manager who will lead our application security efforts while actively participating in technical tasks. In this role, you will function as a senior application security engineer who also guides and mentors the team. You will be instrumental in integrating security practices throughout the software development lifecycle (SDLC), securing containerized applications, securing our ecommerce platforms, and enhancing our overall security posture.

Key Responsibilities

• Technical Leadership:
• Actively perform security assessments, code reviews, penetration testing, and vulnerability management.
• Develop and implement security measures to protect applications, including those running in containerized environments (e.g., Docker, Kubernetes).
• Stay current with the latest security threats, vulnerabilities, and technologies.
• Team Leadership:
• Lead, mentor, and provide technical guidance to a team of application security engineers and analysts.
• Foster a collaborative environment that encourages knowledge sharing and continuous learning.
• Program Management:
• Oversee the integration of security practices into all stages of the SDLC.
• Implement security tools and processes within CI/CD pipelines and development workflows.
• Establish metrics and reporting mechanisms to track the effectiveness of the Application Security program.
• Security Control Integration:
• Collaborate with development and DevOps teams to ensure secure coding practices and secure deployment of containerized applications.
• Integrate security testing tools into CI/CD pipelines for both traditional and containerized applications.
• Policy Development:
• Establish and enforce secure coding standards, policies, and procedures across the organization.
• Ensure compliance with relevant security standards and regulations.
• Risk Management:
• Identify, assess, and prioritize application security risks, including those specific to container technologies.
• Develop and oversee remediation plans to address identified vulnerabilities.
• Collaboration:
• Work closely with product managers, developers, and other stakeholders to integrate security requirements into product development.
• Provide security design reviews and consultations for new and existing projects.
• Advocate for security best practices across the organization.
• Reporting:
• Provide regular updates on security metrics, program status, and risk assessments to executive leadership.
• Communicate security issues and strategies effectively to both technical and non-technical audiences.
  
  

Qualifications

Education

• Bachelor's degree in Computer Science, Information Security, or a related field; Master's degree preferred.
  
  

Experience

• Minimum of 5 years of hands-on experience in application security engineering.
• Proven experience leading or mentoring a team of security professionals.
• Extensive experience integrating security into the SDLC and CI/CD pipelines.
• Demonstrated expertise in securing containerized applications and environments.
  
  

Technical Expertise

• Application Security:
• Deep understanding of application security principles, threats, and mitigation strategies.
• Proficient with tools like OWASP ZAP, Burp Suite, Checkmarx, Fortify, and Veracode.
• Experience with OWASP Top 10, OWASP ASVS, and secure coding standards.
• Understanding of various API’s (REST) API Frameworks and API Security.
• Container Security:
• Strong knowledge of containerization technologies (e.g., Docker, Kubernetes).
• Experience securing containerized applications and implementing best practices for container security.
• Familiarity with container security tools like Aqua Security, Twistlock (Palo Alto Prisma), or Sysdig Secure.
• CI/CD and DevOps:
• Proficient with CI/CD tools such as Jenkins, GitLab CI/CD, or Azure DevOps.
• Experience integrating security tools into CI/CD pipelines for automated testing.
• Cloud Security:
• Experience with securing applications in cloud environments (e.g., AWS, Azure, GCP).
• Familiarity with cloud security services like AWS Security Hub or Azure Security Center.
• Programming and Scripting:
• Strong coding skills in languages such as Java, C#, Python, JavaScript, or similar.
• Ability to conduct code reviews and guide developers on secure coding practices.
• eCommerce Security:
• Experience with identifying, mitigating, and preventing security threats to ensure the safety and privacy of customer data and the integrity of the ecommerce systems.
• Conduct regular security assessments and audits of the ecommerce platform to identify vulnerabilities.
• Ensure that ecommerce platform complies with relevant regulatory standards such as PCI-DSS, GDPR, and CCPA.
• Familiarity with Web Application Firewalls and WAF logs.
• Incident Response:
• Oversee incident investigation efforts, including forensic analysis, to determine the root cause of incidents.
• Coordinate with cross-functional teams to ensure prompt and effective resolution of security incidents and prevent recurrence.
  
  

Skills

• Leadership: Proven ability to lead and mentor a technical team effectively.
• Communication: Excellent verbal and written communication skills; capable of explaining complex security concepts clearly.
• Problem-Solving: Strong analytical and troubleshooting skills in resolving security issues.
• Industry Knowledge: Up-to-date with the latest trends in application and container security.
• Time Management: Ability to manage multiple projects and priorities efficiently.
  
  

Certifications (Preferred)

• Certified Information Systems Security Professional (CISSP)
• Certified Secure Software Lifecycle Professional (CSSLP)
• GIAC Web Application Penetration Tester (GWAPT)
• Certified Kubernetes Security Specialist (CKS)
• Certified Information Security Manager (CISM)
  
  

Remote Work Qualifications

• Access to a reliable and secure high-speed internet connection. Cable or fiber internet connections (at least 75mbps download/10mbps upload) are preferred, as satellite connections often cannot support the technologies used to perform day-to-day tasks.
• Access to a home router and modem.
• A dedicated home office space that is noise- and distraction-free. The space should have strong wireless connection or a wired Ethernet connection (wired connection is preferred, if possible).
• A valid, physical address (apartment, suite, etc.). PO Boxes are not supported, as a physical address is required for you to receive your computer equipment.
• The desire and ability to work and communicate with other team members via chat, webcam, etc.
• Legal residents of one of the following states: (AK, AL, AR, AZ, CT, DE, FL, GA, IA, ID, IN, KS, KY, LA, MD, ME, MI, MN, MO, MS, NC, ND, NH, NM, NV, OH, OK, PA, SC, SD, TN, TX, UT, VA, VT, WI, WV, and WY). H-1B Visa Sponsorship Not Available, W2 only.