Job Description

Security Engineer - SAST - Remote - 63096

• SAST/SCA Experience – General experience working with Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools.
• SAST/SCA (Veracode) Onboarding & ServiceNow Management – Ability to onboard applications into Veracode, configure scans, troubleshoot integration issues, and effectively manage Veracode-related RITMs within ServiceNow. This includes handling requests for adding/removing applications, teams, and API accounts, as well as reviewing mitigation submissions.
• GitLab CI/CD Security Operations – Strong understanding of GitLab CI/CD pipelines and how security scanning tools, including Veracode, are integrated. Ability to troubleshoot security scan issues, analyze pipeline failures, and determine when to escalate to the engineering team for resolution.
• Mitigation Assessment & Approval – Expertise in evaluating remediation plans and compensating controls to determine their effectiveness in addressing security risks. Ability to make informed approval or denial decisions based on industry best practices and organizational security policies.
• What specific SAST and SCA tools should the candidate be familiar with?
  • Veracode, GitLab Ultimate
• How much experience should they have with these tools?
  • The candidate should have a solid understanding of how these tools function and their purpose within the security framework. While deep expertise is not required, they should be comfortable navigating the tools and leveraging their capabilities effectively.
• What will the candidate's responsibilities be when onboarding and managing applications in security tools?
  • Upon receiving a RITM (Request Item), the candidate must extract relevant details from the ticket and properly configure the team/application in Veracode with accurate data. They should ensure all necessary information from the ticket is correctly applied or take appropriate action based on the request.
• What troubleshooting skills are crucial for resolving integration issues with security tools?
  • The candidate should be proficient in navigating Gitlab pipeline jobs and glean useful information from the command-line interface logs. Additionally, they should be able to navigate Veracode or other SAST platform tools when helping a dev or customer and know when to engage other appropriate teams for resolution if further support is required.
• How should the candidate handle security-related tasks and requests in ServiceNow?
  • The process aligns with the responsibilities outlined in question 3. The candidate should review the request details, ensure accuracy, and take the necessary steps to fulfill the request appropriately.
• What kind of experience should they have with integrating security scanning tools into CI/CD pipelines?
  • While they are not expected to develop integrations themselves, the candidate should have a working knowledge of how SAST and SCA tools integrate into GitLab. They must understand these integrations well enough to assess their functionality and troubleshoot basic issues.
• How should the candidate evaluate and approve remediation plans and compensating controls?
  • The candidate should thoroughly review requests, ensuring all necessary details are included. If information is insufficient, they should engage with the requestor (e.g., developers) to obtain additional details. Once the full context is available, they must assess whether the proposed remediation or compensating control effectively mitigates the risk and take the appropriate action to approve or deny the request.
• Will the candidate be involved in remediating issues found in scans? If so, to what extent?
  • No, the candidate will not be directly coding fixes. However, they will act as a consultant, working closely with developers to help them understand identified vulnerabilities and guide them in remediating their code effectively.
    
    

Job Tags

Similar Jobs