Hearst is a leading global, diversified media, information and services company. Its major interests include ownership in cable television networks; global financial services leader Fitch Group; Hearst Health; Hearst Transportation; 33 television stations; 24 daily and 42 weekly newspapers; more than 300 magazines around the world; digital services businesses; and investments in emerging digital entertainment companies.
Across every division of the company, we are connected by our shared values of innovation, storytelling, creativity, vision, social good and partnership. We believe our biggest asset is our combination of different backgrounds, cultures, and disciplines that come together to form one epic unit. What we do starts with our people.
*This role is targeting on-site employees in Houston, TX, San Antonio TX or Charlotte NC but we will consider remote employees if living out of the area.
What you'll do:
Hearst Technology is looking for an Application Security Engineer to help progress our application security program. This role will be responsible for the enhancement of the application security program and supporting cloud transformation initiatives. As we strive to shift-left and integrate security into our CI/CD pipelines, the ideal candidate will help developers create secure code and improve code quality. The Application Security Engineer will be responsible for managing all aspects of the program, including but not limited to software composition analysis, static and dynamic testing, and penetration testing. Reporting to the Director, Security Architecture, the ideal candidate will emphasize application security, producing secure code, application testing, and vulnerability lifecycle management.
The Application Security Engineer will deliver secure cloud infrastructure and software using best practices and commercial & open-source security testing tools. This individual will work across departments on key business initiatives, including direct-to-consumer, and support the
organization's continued adoption of AWS and Azure cloud services. The candidate will automate security testing in the development process and work with Cybersecurity, Infrastructure, DevOps, and Application Development teams to interpret requirements and translate them into actions while balancing security, agile software development, continuous integration and deployment (CI/CD).
• Perform security testing of applications early in the software development lifecycle, leveraging DAST, SAST, and assess applications against Cybersecurity best practices, policies, and compliance mandates.
• Manage the security components of continuous integration and delivery software pipeline to ensure security testing is performed throughout the CI/CD pipeline.
• Automate Cybersecurity controls testing within CI/CD pipelines that package, test, and deploy infrastructure and containerized applications.
• Design and implement threat modeling processes to determine the controls needed for a given application within the software development lifecycle.
• Provide SME guidance in assessing cloud infrastructure to address findings resulting from design reviews, threat modeling, and SAST and DAST testing.
• Perform vulnerability assessment, pen testing, and work across department lines to communicate findings and drive forward risk remediation efforts.
• Contribute to the decisions being made that impact Hearst's cloud implementations, direction, and cloud security posture.
• Design and implement security risk metrics monitoring to report on threats and the Cybersecurity posture; define data reporting metrics to drive forward continuous security improvements, including gate checks and integrated view of projects in the pipeline.
• Perform technical security configuration assessments of cloud platforms such as Microsoft Azure, Amazon Web Services (AWS).
Who you are:
• Bachelor's Degree in a technical discipline (or equivalent work experience) • Minimum of seven years in IT (a minimum of five years in information security)
• Strong background in Penetration Testing, Secure Development Lifecycle methodologies, Expertise in identifying vulnerabilities, static/dynamic code analysis, code reviews.
• A good understanding across cloud and infrastructure components (server, storage, network, data, and applications) Hands-on experience using tools such as Whitehat, Tenable, Veracode, Netsparker, or AppInsight as well as Jenkins, GitLab, Puppet, Vault, and Grafana or other related automation and orchestration toolset
• Expertise in working with CI/CD tools and pipeline such as Azure Dev Ops, Jenkins, Github, Gitflow, artifact repository
• Experience with collaboration tools such as Jira, sprint planning, task ownership, comfortable in customer-facing roles
• Understanding of industry-leading practices around cyber risks and cloud security using industry standards such as CIS Benchmarks, Cloud Security Alliance, and NIST SP 800-144, and 800-145 One or more industry-leading certification is preferred CCSP, GCSA, CSSLP