Specialist Application Security Engineer SAST (x2)

• Manage SAST platform and engagement with development teams
• Review code for security vulnerabilities and practices dangerous to security and privacy.
• Write custom rules on automated source code scanning tools
• Script (Python, Perl, Ruby etc) and build automation tools on an ad-hoc basis
• Create and deliver knowledge sharing presentations and documentation to educate developers and operations teams on application security best practices and secure coding techniques.
• Write reports including recommendations, root cause analysis, security summary analysis, and project roadmaps
• Help with tools identification, onboarding and/or tools development to assist developers in the secure development of applications
• Configure, run, maintain, and utilize security tools for the Appsec program, e.g., static and dynamic code analysis tools
• Build process and technology to improve the reporting and prioritization of identified weaknesses
• Discover threats, vulnerabilities and exploits through architecture design review, threat modeling, code review, SAST and DAST assessments
• Triage issues found by tools, external reports, and various tests, to accurately assess the real risks
• Offer remediation guidance to stakeholders for identified issues and serve as an escalation resource for developers as they reduce issues
• Draft application security policies, standards and guidance documentation that can be leveraged in the secure development of products and services
• Monitor latest web application security developments and security trends to continually improve internal processes;
• Work with DevOps team to improve Application Security; Research, Prototype, integrate Security Tools into CI/CD pipeline (container security, SAST, DAST, IAST, third party vulnerability Scanning, etc) aiming to achieve 100% coverage of all deployment/build pipelines
• Collaborates cross-functionally with analysts, engineers, data scientists to achieve continuous improvement in cyber defense/resilience.
• Provide mentorship and training on areas of expertise to junior Application Security team members.

• Bachelor or Master degree in Information Systems, Computer Science or equivalent and at 6 years of experience in a related field
• Strong understanding of common software and web application security vulnerabilities. including OWASP top 10, SANS/CWE Top 25 etc.
• Security verification of web applications or mobile apps using OWASP ASVS/M-ASVS and testing guides
• Hands-on experience with tools and technologies used throughout secure SDLC (e.g., Burp Suite/ZAP, Fortify/Checkmarx /Veracode, WhiteSource/Blackduck).
• Experience driving application security requirements in a traditional SDLC and through stories and epics in an Agile and SCRUM development environment
• DevOps experience building and deploying infrastructure with cloud deployment, build and test automation technologies like ansible, chef, puppet, docker, jenkins, gitlab etc.
• Good hands-on experience with AWS foundation services related to compute, network, storage, content delivery, administration and security, deployment and management, automation technologies
• Ability to review, understand and proficiency with two or more of (JavaScript, Python, Java, Swift. Kotlin etc)
• Experience with scripting languages (e.g., Python, Ruby) and automating tasks
• Experience building and maintaining relationships, excellent verbal and written communication skills and effective working with virtual teams
• Team-oriented, placing priority on the successful completion of team goals
• Self-starter with a high degree of initiative

• Vast opportunities to learn, develop, and move up and across our global organization.
• Diverse and inclusive community of belonging, where colleagues are empowered to bring ideas to the table, take risks, and act.
• Generous Amgen Total Rewards Plan comprising healthcare, finance, wealth and career benefits.
• Flexible work arrangements.

Amgen