Application Security Engineer at Fincra

Role Overview

• Reporting to the CISO, the Senior Application Security Engineer will ensure that security is embedded in how we build our products from design and developments to testing to how we run them and partner with product and engineering teams to strategically guard against existing or emerging threats.
• This position is responsible for cultivating a culture of security awareness across engineering & product teams.
• The ideal candidate has deep technical security knowledge and expertise and will help define and implement robust security architecture strategies, frameworks and governance processes.

What You’ll Be Expected To Do

• Implementing and deploying security solutions, including workplace security, endpoint security, network and system security.
• Contribute to requirement gathering with the product team in the area of application security.
• Performing cyber-security, information security risk assessments and conducting security work planning based on risk priority.
• Establishing and executing security operation and maintenance processes, handling security incidents and following up to close security findings.
• Monitoring and analyzing security alerts and carrying out immediate quarantine or remediation procedures.
• Upholding code reviews across all code platforms.
• Manage integration with vulnerability check tools such as Static Code Analysis and Dynamic Code Analysis tools.
• Provide support on all application security activities.
• Administering and carrying out configuration optimization on Web Application Firewalls.
• Be the subject matter expert for application security solutions.
• Overseeing the approval, training, and dissemination of security policies and practices across the organization.
• Initiating, facilitating and promoting activities to create information security awareness within the organization.
• Direct and coordinated implementation of security controls and compliance requirements across the organization, including Engineering and DevOps.
• Facilitating requests for validation of baseline configurations for purposes of regulatory compliance assessments and audits – such as those for PCI DSS compliance.
• Monitoring and enforcing compliance with Information Security policies and procedures according to PCI DSS regulatory standards.
• Implementing and enforcing relevant Information Security and data privacy standards and regulations such as ISO 27001,ISO 22301, NDPR
• Staying up to date with the latest threats and vulnerabilities to ensure operational tools, processes, incident response plans are up to date and effectively tested.
• Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders on identifying acceptable levels of residual risk.
• Take ownership of all company audit and security certifications processes.
• Liaising with partners and vendors in carrying out activities not limited to audit, VAPT as well as other information security posture assessments and security implementations.
• Providing regular reporting on the current status of the information security program to the CEO and the board of directors as part of a strategic enterprise risk management program.

Eligibility Requirements

• Minimum of seven (7) years post NYSC relevant experience in Information Security.
• Very strong knowledge of cloud architecture and security.
• Experience in Implementing security controls using standards such as PCIDSS, ISO 27001 and ISO 2230.
• Strong understanding of cybersecurity concepts and principles.
• Strong understanding of System Architecture, both On-prem and Cloud.
• Strong software design and implementation know-how, strong familiarity with web protocols, a thorough knowledge of Linux/Unix tools and architecture, and being well-versed in application security and infrastructure security.
• Experience of performing cyber assessments on systems (including Cloud assessments)
• Experience of Threat Modeling and Impact/Likelihood assessments
• Understanding of emerging technologies and corresponding cybersecurity threats
• Experience in service-oriented architecture and web services security
• Understanding of OWASP 10.
• Experience in deployment and administration of security solutions (SIEM, WAF, DAM, etc)
• Certifications such as CompTIA Security+, CEH, CISSP, CCSP, IS0 22301 LI, ISO 27001 LI could be an added advantage.