H-E-B is one of the largest, independently owned food retailers in the nation operating over 400 stores throughout Texas and Mexico, with annual sales generating over $25 billion. Described by industry experts as a daring innovator and smart competitor, H-E-B has led the way with creative new concepts, outstanding service and a commitment to diversity in our workforce, workplace and marketplace. H-E-B offers a wealth of career opportunities to our 109,000+ Partners (employees), competitive compensation and benefits program and comprehensive training that lead to successful careers.
Our Partners thrive The H-E-B Way. As a Lead Application Security Engineer, you would have a…
HEART FOR PEOPLE… you have a passion for mentorship and guidance, and love for the direct person-to-person interactions that create strong bonds between teams
HEAD FOR BUSINESS… you have an ownership mentality and a consistent track record of timely delivery of high-quality software
PASSION FOR RESULTS… the ability to guide the discussion, remove roadblocks, and provide guardrails for your team as they identify challenges and propose solutions
What you’ll do at HEB:
As an Application Security Engineer, you will work closely with Product Design, Software Development, Production Operations, and other members of the Security group to maintain and enhance the security of our mobile, web, and server software applications. This work involves several technology stacks and multiple hardware platforms.
- Designs, integrates, and tests a suite of tools for security management of multi-tenant private and public cloud application services.
- Developing secure design patterns for cloud architectures developed in public or private cloud environments.
- Support vendor and partner security assessments.
- Actively audit the infrastructure and applications for security problems while prioritizing fixes.
- Build repeatable and testable security infrastructure.
- Research emerging trends and technologies to assess the threats they may face.
- Provide security expertise on system, network, encryption, authentication, and governance.
- Recommends configuration changes to improve the performance, usability, and value of cyber analysis tools.
- Assists with product studies, performs requirements analysis, and develops software architectures to meet requirements.
- Creates technical proposals and white papers, writes functional and design specifications.
- Measure compliance against standards.
- Identify security vulnerabilities in applications written in C++, C#, and Java for modern versions of Linux and Windows via code reviews and reverse engineering.
- Identify weaknesses in various network protocols.
- Offer solutions to discovered vulnerabilities.
- Develop tools and scripts to aid in reverse engineering and vulnerability discovery.
- Suggest secure design techniques to management and customers to improve application security posture.
- Prepare reports on project progress and present results to the customer and management.
- Contribute to maturing process, policy, and standards guidance.
- Maintain current knowledge of relevant vulnerabilities and mitigation techniques.
- Research emerging technologies and maintain awareness of current security risks.
- Other duties as assigned.
Who You Are
- Bachelor's degree or 7+ years relevant work experience.
- 3-5 years of experience (preferred) with security management of cloud based services (SaaS) in a fast-paced Agile environment.
- At least two certifications in Application Security or Pen testing (CSSLP, GSSP-x, CEH, GPEN, GWAPT, GMOB).
- Mid to expert level knowledge of AWS, Azure, and Google Cloud Platform.
- Hands-on experience with security management and issues surrounding virtual machines, containers, and applications.
- Strong knowledge of build systems, the microservices model, and continuous integration/deployment practices.
- Familiarity with cloud based security standards and frameworks.
- Knowledge of SDLC practices.
- Ability to perform comprehensive code reviews.
- Working knowledge of Python 3 or other popular scripting language on the Linux platform.
- Strong knowledge of public key cryptography, web services SSO strategies, and CVSS scoring.
- Experience with modern development tools such as Visual Studio 2010+, GCC 4.8+, Git, or Jenkins.
- Understanding of one or more automated code auditing/vulnerability tools: Checkmarx, IBM AppScan, Veracode, WhiteHat, or Burp.
- Experience with automation and dev-ops technologies (such as puppet, chef, ansible, etc.)
- Experience with one or more modern RE tools: IDA Pro, WinDbg, Radare2, Ollydbg, Binary Ninja.
- Strong knowledge of open-source libraries/packages.
- Experience architecting, deploying and managing a suite of security management tools, including tools for: WAF, SIEM, log management, DDOS protection, Pen-testing, vulnerability management, automated code analysis, and anti-malware.
- Excellent oral and written communication skills.
- Awareness of security standards and frameworks relevant to the SaaS industry (e.g. ISO, NIST, CSA).