This position is also responsible for assessing the security of applications for business-to-business initiatives, third-party relationships, outsourced solutions and vendors. Considered a highly knowledgeable individual, the Senior Application Security Engineer is expected to identify and contribute to programmatic controls, monitor and manage secure development practices to address modern day issues, and act as subject-matter experts on multiple types of vulnerabilities and attacks. Senior Application Security Engineer think like attackers, but always acts with integrity and do not abuse their privilege.

• Perform vulnerability and penetration testing.
• Document security findings with reasonable reproduction steps and methodologies for remediation.
• Focus on automation to aid in efficiencies with both testing and remediation of findings.
• Develop, share, and maintain tools and scripts used in penetration-testing and red team processes.
• Work with teammates to learn and regularly share skills and foster team excellence.
• Work in tandem with developers to provide repetitive validation testing prior to production, while allowing for a continuous cycle of development followed by application security assessments.
• Monitor the security community for public-facing security issues and evaluate impact.
• Attend and participate in application project and product stakeholder meetings. This includes interacting with business units and technical teams to understand what is coming and how their projects can be more secure from the beginning.
• Improve and follow security review processes to ensure an automated and repeatable process is managed. This can be through the use of dynamic and static code analysis resources.
• Use security standards and implementation configurations, as well as common security frameworks.
• Prepare for and manage bug bounty programs.
• Document delivery and implementation improvements to meet and improve service-level agreements.
• Participate in, and occasionally lead, security team meetings that facilitate secure design.
• Highly engage in information security projects that evaluate existing security infrastructure and propose changes to align with requirements from security leadership and architects. Additionally, deliver projects on time, within budget, and in accordance with SLAs.
  • (SLAs) and business metrics.
  • Align with architects and development teams for a mission of secure design.
  • Train developers and junior application security engineers on weaknesses to avoid.
• Identify and develop practices to support application security in a highly compliant and regulated environment - FedRAMP Moderate, ISO 27001, General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act of 1996 (HIPAA), etc.
• Work in tandem with architects, other security engineers, the security operations center (SOC), and infrastructure and development team members.
• Develop security test plans from architectural design. Identify deficiencies and make enhancements to ensure production is not impacted.
• Identify and drive security efficiencies, enabling security team members to work on more advanced tasks.
• Provide technical guidance to new hires and interns as needed.
• Participate and contribute to threat modeling exercises, may lead as needed/ able.

Skills

• Strong vulnerability and penetration-testing skills for web apps (XSS, SQLI, CSRF, SSRF, XXE, IDOR, etc.)
• Firm grasp of cryptographic algorithms (AES, SHA, HMAC, RSA, ECC, etc.) and how to exploit their misuse
• Understanding of cloud platforms (AWS, GCP, Azure, etc.) and how to exploit vulnerabilities within those environments
• Working knowledge of multiple threat modeling frameworks
• Proficiency in software development (Java, Golang, Python, etc.)
• Solid understanding of network and web protocols
• Excellence in communicating business risk from cybersecurity issues

Experience

• 4+ years of experience in cybersecurity with a focus on penetration testing and application assessment. Additional experience in software engineering is a plus.

Travel Requirement

• Minimal, Up to 10%

Working Conditions & Physical Requirements

• Reliable Internet access for any period of time working remotely, not in a Workiva office.

How You’ll Be Rewarded

• Base Pay Range in Colorado: $124,000 - $158,000

• A discretionary bonus typically paid annually

• Restricted Stock Units granted at time of hire

The base pay range represents the low and high end of the hiring range for this job. Actual pay will vary and may be above or below the range based on various factors including but not limited to relevant skills, experience, and capabilities.