Senior Security Engineer - Security - OMNI
Philip Morris International
- Portugal
- Permanente
- Horário completo
- Identify potential threats by performing threat modeling, architectural design review, source code review, dynamic application security tests (pen test) for the web, mobile and infrastructure
- Coordinate Security Assessments and Remediations with internal and external Software Engineering Teams
- Engage in product features development by leveraging your Security Expertise to shift left activities related to cybersecurity risk assessment
- Engage with the Community of Security Engineers to drive standards and ensure its adoption within OMNI Subplatform
- Keep yourself updated on trends and risks related to Information and Application Security and provide guidance for security policies and standards.
- Ensure applicable IT Policy Framework (ITPF) controls, regulatory and statutory requirements are addressed early in the development lifecycle.
- Directly contribute to engineering artifacts such as: Good practices /Standards/ Tooling/ Ways of Working
- Collaborate with other Software Security experts in the organization to support the configuration of automation tools (e.g static code analysis)
- Coach and support Engineers in Product Teams on automating security checks in the CI/CD pipelines for their products
- Participate in design and requirement reviews and providing design solutions that allow the application to maintain security without losing functionality. Incorporate design solution in Development, DevOps and Architectural best practices.
- Participate in awareness initiatives to educate and influence a technical audience on Application Security matters.
- Review and improve security architecture of our Products.
- Perform Security Assessments of our Products on a recurring basis to ensure security requirements are being met.
- Conduct source code and dynamic application security reviews in relevant programming languages and frameworks (Python, Go, TypeScript, JavaScript, React).
- Define security test cases during test automation and develop new tools to improve the security of the group gaming application
- To enhance product security, foster expertise, and continuous awareness within the development team, and coordinate necessary security training to proactively address concerns.
- Share high-level plans for sprint planning and present epics with potential security impact to information and the application, including assumed Major Changes.
- Technical degree and/or relevant confirmed experience in IT
- Experience of operating across functions and geographies in large, complex and sometimes uncertain IT environments
- Experience of analysing sophisticated data and turning this into important and practical insights
- Ability to work well in diverse, multinational teams and proven track record to influence others to achieve positive outcomes
- Good presentation, communication & facilitation skills
- Deep understanding of OWASP Top 10 and CWE 25; with proven track record and experience in implementing and integrating remediation strategies
- Excellent understanding of web applications, web servers, layer 7 application technologies, frameworks, and protocols with respect to application development and deployment
- Well versed in web application design, penetration testing, application risk assessment and risk categorization
- Well versed (experience preferred) with driving and implementing secure development practices in to SDLC (SSDLC)
- Ability to successfully integrate security into a developer's world.
- Knowledge of Identity and Access Management (IAM) principles.
- Strong understanding of authentication protocols, encryption, and cloud architectures.
- Vulnerability management and identification, including extensive OWASP knowledge, Familiarity with cloud security principles and best practices (AWS, Azure, etc.).
- University degree (Computer Sciences, Information Technology, or a related field).
- Over 7 years of relevant experience in a similar role.
- Understand key processes in cloud technology.
- Experience working in an iterative approach to innovation.
- Fluency in written and spoken English.
- Industry Certifications:
- AWS Certified Security - Specialty
- CSSLP - Certified Secure Software Lifecycle Professional.