Spécialiste de la sécurité des applications

Description du poste

Insights from HM:

What is the business need for opening this role? If you’ve hired for this position before, how has the role/team/scope of responsibilities changed since then?

OneSpan needs to focus on delivering products without vulnerabilities and needs to be able to react to new vulnerabilities in a fast and efficient way. Over time the number of vulnerabilities must decrease and the time-to-patch (time between reporting of a vulnerability and the moment it is fixed/patched) must be reduced.

What are the high-level objectives for this person?

We need an application security specialist who knows how our products are build and operate. The hire needs to follow-up on reported vulnerabilities in the products (by scanning tools and by customers) and pro-actively search for vulnerabilities in the products. The hire needs to work with R&D to ensure we have full code scan coverage.

What are the first 90 day goals for this person?

Understand how one of the products (probably OneSpan Sign) is developed and build and how it works. Be able to analyze the SAST/DAST/SCA scan reports of OSS. Be able to determine the actual severity of discovered vulnerabilities and know how to report vulnerabilities to R&D.

What goals need to be achieved a year from now for you to determine the hire is successful?

 Understand and know how our SaaS products work
 Be able to create a release approval report used in GO/NO GO meeting.
 Prepare, manage and follow-up the annual penetration tests for our online services.

__________________________________________________

At OneSpan, we infuse trust into everything we do. That’s why enterprises that care about securing the customer journey partner with us. Security is core to OneSpan’s DNA.
We are looking for an Application Security Specialist near our office in Montreal to support us in building best in class security solutions for our customers. You will join OneSpan’s Security Competence Center, a team in the OneSpan R&D organization which is responsible for the security aspects of OneSpan’s products and services.

Responsibilities:
• Interpret the results of security scans (SAST, SCA, DAST, penetration tests, bug bounty programs) and give relevant and risk-based suggestions for solving security issues and track the resolution activities.
• Manage external penetration testing and bug bounty activities.
• Improve automated security testing of developed code together with the development teams through various methods and tools.
• Be the go-to person for application security related questions from R&D security champions.
• Follow up on secure product development practices and trends and provide suggestions to further improve our secure development processes.
• Perform hands-on security testing on our solutions.

Requirements:
• 4+ years of hands-on technical experience with software security.
• Experience with software security scanning tools (such as SAST, SCA, DAST).
• Good understanding of web applications, frameworks and protocols with respect to application development, building and deployment, build pipelines and automation (Gitlab, Jenkins).
• Familiar with the foundations of secure development and application security (AppSec/DevSecOps) concepts and practices.
• Penetration testing (infrastructure, web application) or bug bounty experience is beneficial
• Experience with Veracode is a big plus.