Application Security Architect

Job Summary

We are seeking an Application Security Subject Matter Expert (SME) with extensive experience in GitHub Advanced Security Dependency Management Software Composition Analysis (SCA) Software Bill of Materials (SBOM) CWE (Common Weakness Enumeration) and CodeQL. This role will focus on implementing and managing application security within GitHubs Advanced Security ecosystem establishing secure coding standards and ensuring alignment with OWASP Top 10 and NIST standards. The ideal candidate will lead efforts to integrate security into the development lifecycle helping developers proactively identify and address security vulnerabilities early in the process.

Key Responsibilities

• GitHub Advanced Security Management:
  • Configure optimize and manage GitHub Advanced Security tools including Dependabot CodeQL and vulnerability alerts across repositories.
  • Customize and maintain GitHub Advanced Security policies to enforce security checks and prevent known vulnerabilities in repositories.
  • Work with development teams to embed security checks within GitHub workflows ensuring alignment with organizational security policies and standards.
• Dependency Management and Software Composition Analysis (SCA):
  • Leverage GitHub Dependabot to automate dependency updates prioritizing critical patches and managing thirdparty risks in collaboration with developers.
  • Oversee SCA processes to detect vulnerabilities in opensource components maintain visibility across thirdparty dependencies and manage risks in realtime.
  • Define and maintain a Software Bill of Materials (SBOM) for applications ensuring traceability and transparency of components used across projects.
• CodeQL Configuration and Vulnerability Scanning:
  • Develop optimize and execute custom CodeQL queries to detect vulnerabilities aligned with OWASP Top 10 and CWE classifications.
  • Integrate CodeQL into CI/CD pipelines within GitHub Actions to enable continuous vulnerability detection and remediation recommendations.
  • Collaborate with developers to analyze CodeQL findings and provide actionable feedback to resolve codelevel vulnerabilities effectively.
• Application Security Standards (OWASP Top 10 CWE and NIST):
  • Ensure compliance with OWASP Top 10 and NIST standards by embedding these guidelines into GitHub Advanced Security tools and processes.
  • Map identified vulnerabilities to CWE classifications to establish a consistent framework for reporting tracking and remediating risks.
  • Implement controls and create workflows to address vulnerabilities in alignment with OWASP CWE and NIST guidelines ensuring robust application security standards.
• ShiftLeft Security and Developer Enablement:
  • Champion shiftleft security practices by enabling developers to identify and mitigate vulnerabilities during early stages of the SDLC within their GitHub workflows.
  • Provide training and resources to empower developers in using GitHub Advanced Security tools Dependabot and CodeQL as part of their everyday coding practices.
  • Conduct secure coding workshops and documentation sessions to educate developers on addressing OWASP Top 10 issues and understanding CWE and NIST standards.
• Continuous Monitoring and Compliance Reporting:
  • Set up automated dashboards and reports to monitor key metrics including vulnerability resolution rates false positives and overall code health.
  • Ensure ongoing compliance with NIST and other relevant standards creating reports for internal and external audits as needed.
  • Conduct periodic reviews and audits of GitHub security configurations and workflows to maintain alignment with industry best practices and organizational security requirements.

Qualifications

• Technical Expertise:
  • Indepth experience with GitHub Advanced Security particularly Dependabot CodeQL and GitHub vulnerability alerts.
  • Strong knowledge of dependency management and SCA tools leveraging GitHub Dependabot for automated dependency updates.
  • Proficiency in using CodeQL for security scanning and customizing CodeQL queries to identify vulnerabilities specific to the organizations codebase.
  • Familiarity with application security standards including OWASP Top 10 CWE and NIST with experience embedding these standards into GitHub workflows.
• Experience:
  • 7 years in Application Security DevSecOps or a similar role focused on vulnerability management dependency security and secure coding practices.
  • Proven track record of implementing and managing security tools within GitHub including configuration of GitHub Actions for CI/CD integration.
  • Experience working closely with developers to embed security into the SDLC providing actionable feedback training and secure coding guidance.
• Soft Skills:
  • Excellent communication and collaboration skills for effective interaction with crossfunctional teams including developers DevOps and security engineers.
  • Strong problemsolving abilities with a proactive approach to identifying security risks and implementing remediation strategies.
  • Ability to develop clear documentation reports and training materials for both technical and nontechnical stakeholders.