Ultimate Software is seeking an Application Security (AppSec) Engineer to work in our Global Security team. The Ultimate Software’s (USG) Global Security Research and Architecture (GSRA), application security team, is responsible for both finding bugs and designing mitigations for broad classes of bugs. We use and work on state of the art tools, maintain the infrastructure that supports our efforts, and empower Product Development to move to move quickly without compromising on safety. Because of the nature of USG’s product, nearly every system we operate needs to interact with sensitive financial and personal data, making the security team an extremely dynamic environment to join.
We are looking for someone with a strong application security engineering and development background. The ideal candidate can discuss abstract concepts or lead meetings but not be afraid to deep dive in technical details (From whiteboard to JAVA code, from Microsoft World to the linux console).
Essential Duties and Responsibilities:
- Work with our code
- Develop techniques to ensure development teams find flaws before they are introduced into production
- Be a security subject matter expert and respond to any security development question
- Work with development teams to design solutions that are inherently secure
- Be a champion for simple security models
- Correctly balance security risk and product advancement
- Lead software security initiatives
- Lead or participate in threat modeling discussions
- Perform code deep dives to uncover security vulnerabilities or design
- Document findings and architectural issues for development and other security teams consumption
- Evaluate the security posture of existing applications
- Perform proactive research to detect new attack vectors and pentest internal and external apps
- Software development experience in a production environment
- A deep understanding of the web application architecture
- A knack for finding flaws in software and can efficiently communicate how to fix them
- Strong communication skills and is accustomed to working closely with a product team
- Doesn’t always default to industry norms when solving a problem
- An ability to think like an attacker to develop threat models
- Has designed and implemented mitigations for common classes of bugs
- Five or more years’ experience in:
- Authentication (Identity management, MFA/2FA)
- Applied Cryptography (PKI, Appropriate usage of Cryptographic Primitives, Digital Signatures, HASHing, HMACs)
- Authorization (claims, RBAC, fine grained, coarse grained, XACML, OAUTH, SAML)
- Web Services Security (WS-Security, Oauth, JWT)
- Static Source Code Review Tools (e.g. Fortify, Appscan Source, Contrast, etc).
- Application Service Hardening (CIS, NSA/DOD STIGs)
- Coding experience in one or more general languages
- Mobile App development experience a plus
Check out how we give our employees the chance to work on whatever project they want for 48 hours! https://youtu.be/2Aw55CP1IO8
Typical Interview Process:
- If your application is selected, a Talent Acquisition Team Member will reach out to schedule a phone screen with them.
- If selected to move forward, you will complete a HackerRank Coding Assessment.
- If you pass, you will either move forward to a technical phone call for an additional screening, OR directly to an onsite interview.
- Offer stage.