Senior Application Security Engineer

Full Time Job
Metro-Goldwyn-Mayer Studios Inc. ("MGM") is seeking an Application Security Engineer to expand our security organization. The ideal candidate will have a strong understanding of all phases of the Software Development Lifecycle (SDLC) and DevSecOps principles: planning, creating, testing, and deploying applications and services securely. Ability to contribute to our cloud security practice, penetration testing program, and codify security.

The Team: We're an enthusiastic group of hackers who have a passion for protecting our storytellers, creatives, workforce, content and over 96 years of Hollywood history. We pride ourselves on being innovative and progressive in all areas of information and cybersecurity. Our mission is to build frictionless security to support business enablement. Inclusiveness and empowerment are part of our ethos to elevate our team and the infosec community. Our ideal candidate can find creative ways to solve complex security challenges and not be afraid to try new things. Be willing to share their knowledge and empower others.

Responsibilities:

• Write web applications using front-end languages, such as HTML, Java, JavaScript, PHP, .NET, etc.
• Create and maintain Secure Software Development Life Cycle (SDLC) and DevSecOps models including threat modeling, security architecture, and audit reviews.
• Gather security requirements of an application prior to development to promote frictionless enablement by building security into the product and within all phases of the SDLC taking the shift left approach. Be a partner and advisor to the Media Technology Group (MTG) DevOps Team.
• Define, maintain, and enforce application security polices, standards, and procedures.
• Perform manual and automated code review of applications.
• Assess vulnerabilities of applications.
• Provide security ratings and mitigations based on assessments and testing of application.
• Prioritize remediation based on security ratings and the needs of the business.
• Help our team continually build, improve and deliver security as a service.
• Participate in on-call rotation and participate in incident response.

Requirements:
• 5 years of experience with prior experience as penetration tester.
• Experience with microservices and containerization.
• Knowledge of OWASP Top 10, threat modeling, static application security testing and dynamic application security testing.
• Experience with CIS, NIST, and other frameworks for on-prem and cloud environments.
• Experience with identity providers such as Azure, Okta, Ping, etc.
• Experience with SAML, OIDC, and OAuth.
• Python knowledge is required.
• Experience with Kubernetes, Docker, Ansible, Jenkins, Gitlab etc.
• Experience with AWS and Azure.
• Experience with tools such as Snyk, Veracode, Fortify, Kali, etc.
• Experience testing APIs and mitigating open API vulnerabilities.
• Experience in pentesting and the MITRE ATT&CK framework.
• Knowledge of Zero Trust and FIDO2.
• Strong analytical mindset desired.
• Participation experience in industry events such as DefCon, BSides, ShellCon, etc a plus.
• Certified Application Security Engineer (CASE), AWS certifications or equivalent certification a plus.

#SBJ