Senior Application Security Engineer

Overview

Welcome to Gordon Food Service! We are excited that you are thinking about opportunities with us, and we have an amazing story to share. See below for a quick glance of who we are and the impact you could have on the food service industry. There s a seat at our table for you...

Position Summary:

The Senior Application Security Engineer develops and maintains the application security environment for all Gordon Food Service Information Technology.

• Establish strategic direction for software security standards, practices, tools, and lifecycle processes at Gordon Food Service.

• Oversee design-time threat modeling and risk assessment activities for deployed software solutions; mentor project teams in the practice of threat modeling.

• Conduct initial high-level risk assessments of SaaS (cloud) and COTS (commercial package) software solutions.

• Maintain secure coding standards and best practices for custom software development at Gordon Food Service.

• Work closely with Application Services teams and with the Gordon Food Service quality architect and QA/QC team to ensure that security controls are in place for Gordon Food Service custom software and it is security tested.

• Provide secure software development mentoring and guidance to Gordon Food Service software engineers.

• Perform internal penetration testing against new or modified software solutions.

• Coordinate external security assessments (e.g., “grey-box” web application penetration tests).

• Serve as the Enterprise Information Security (EIS) team resource to represent EIS concerns on the Gordon Food Service Application Engineering Council (AEC) and Application Architecture Council (AAC).

• Research and keep abreast of the dynamic threat landscape associated with software security, adapting Gordon Food Service protection strategies to proactively cope with emerging threats.

• Other duties and responsibilities as assigned.

• Monday to Friday, 8am to 5pm

• Hybrid schedule, 4 days in office in Wyoming, MI with 1 day remote

• Bachelor s Degree in Computer Science, Information Technology or a related field preferred.

• Five or more years previous related experience or an equivalent combination of education, training, and experience.

• Solid grasp of standard web application development technologies such as:
  Java, Python, JavaScript, Maven, HTML5, frontend tools (NPM, Grunt, Gulp, etc.), current frameworks (Angular, Backbone, Ember, React
  
  JS, Kotlin, Spring etc.).

• Experience in Dev Ops and containerized cloud environments a plus, including Docker, Google Cloud Platform (GCP) and Kubernetes.

• Familiarity with automated analysis / security testing technologies such as:
  Static Application Security (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP).

• Thorough understanding of web application security and vulnerability / attack patterns such as those enumerated in the OWASP Top 10.

• Thorough understanding of the software development lifecycle and the ways in which security disciplines are incorporated into it and throughout its stages.

• Proficiency with web application penetration testing tools such as Burp Suite or OWASP ZAP.

• Familiarity with software security maturity models such as OSAMM or BSIMM.

• Familiarity with threat modeling and security risk analysis tools and processes.

• Familiarity with secure software design and coding practices.

• Thorough knowledge of security testing practices and supporting methodologies such as OWASP ASVS (Application Security Verification Standard).

• Ability to mentor less-experienced development staff and clearly communicate the goals of software security, the risks of insufficient security controls to the organization, the nature of common vulnerabilities, and the best practices for mitigating them.

• Ability to advocate for security, identity, and compliance imperatives in council discussions with senior domain engineers and application architects.

• Ability to assess security risks within the context of real-world software solutions and develop common-sense, pragmatic mitigation strategies in collaboration with project teams and business stakeholders

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, status as a protected veteran, or status as a qualified individual with disability. If you require reasonable accommodation for any part of the application or hiring process due to a disability, please submit your request to  and use the words “Accommodation Request” in your subject line.

All Gordon Food Service locations are tobacco-free.

Gordon Food Service is a drug-free workplace and conducts pre-employment drug tests.