Requisition ID: 284152
Work Area: Software-Design and Development
Expected Travel: 0 - 10%
Career Status: Professional
Employment Type: Regular Full Time

COMPANY DESCRIPTION

SAP started in 1972 as a team of five colleagues with a desire to do something new. Together, they changed enterprise software and reinvented how business was done. Today, as a market leader in enterprise application software, we remain true to our roots. That’s why we engineer solutions to fuel innovation, foster equality and spread opportunity for our employees and customers across borders and cultures.

SAP values the entrepreneurial spirit, fostering creativity and building lasting relationships with our employees. We know that a diverse and inclusive workforce keeps us competitive and provides opportunities for all. We believe that together we can transform industries, grow economics, lift up societies and sustain our environment. Because it’s the best-run businesses that make the world run better and improve people’s lives.

Role Location: US/Remote

Role Summary

The SAP Ariba Product Security team is looking for a Senior Application Security Engineer with focus on leading and guiding software development teams in executing security tasks within the software development lifecycle (SDLC). Candidates should have experience or working knowledge of modern programming languages such as Java, Python, .NET and common web application stack (HTML/JavaScript Frameworks).

Role Expectations and Tasks 

The Product Senior Security Engineer will be collaborating and working with Product Security Architects to ensure potential security defects are identified, tested, and remediated prior to release of the product.

• Review the application code for Security vulnerabilities and publish the report to stakeholders with relevant countermeasures and conduct Threat Modeling and Architecture Review from security perspective on need basis.
• Identify potential areas of security improvement in design or implementation and work closely and continuously with teams including Development, Security and Quality Assurance to ensure solutions are highly secure.
• Creates documents to depict the security stature of the application and works with development architects, QA team and others to track the vulnerabilities closure.
• Develops test plans and test strategies for Application Security testing and manages vulnerabilities and works with development team to provide resolutions
• Plays an integral role in the entire software development lifecycle including participation in design sessions, defining functional requirements, working with development teams and testing.
• Design, scope, and lead deep technical assessments on internal and external facing systems
• Work with vulnerability management, production security and other security programs to align remediation efforts and best protect the company from known threats
• Working with SAP Penetration testing team to schedule and scope Periodic Security Tests on the application and publish the report to stakeholders with relevant countermeasures.
• Review and verify third party penetration tests. Work with Engineering teams to remediate vulnerabilities found during the Third-party of customer pen tests.
• Collaborate with Product Security Architects in the design, Implementation and maintenance of security controls in the SDLC relevant to FedRAMP and NIST compliance for on-premise software and SaaS-based offerings.

Role Requirements

• Bachelor’s degree in Computer Science or related discipline with 8 years professional experience in Information Security
• Background in Threat Modeling, Security in SDLC, Secure Coding and Software Assurance
• Relevant industry certifications such as SANS GPEN, GWEB and CSSLP
• Familiarity in modern software development methodologies and tooling (Agile, CI/CD, Jenkins, AWS, GCP, etc.)
• Familiarity with Atlassian Jira and Confluence or similar software bug tracking tools.
• Mastery of web technology and protocols and inherent weaknesses. Before you can break a system, you must understand the system.
• Demonstrated experience in using Static Code Analysis Tools for security (Coverity, Fortify, Sonar, etc.), including security tools for vulnerability management of Free and Open Source (FOSS) components and libraries such as Whitesource, Blackduck and Snyk.
• Experience in using dynamic web application vulnerability scanners, both open source and commercial. (Arachni, Nikto, AppSpider, Qualys,etc.)
• Demonstrated experience in using intercepting proxies to conduct manual security analysis of web applications. (OWASP ZAP, Burp Suite, Fiddler, Postman, etc.)
• Experience and/or working knowledge of modern programming languages such as Java, Python. .NET and common web application stack (HTML/CSS/JavaScript Frameworks)
• The ability to think like an attacker, up-to-date with the current web application threat landscape.

#LI-REMOTE

#SAPSecurityCareersPE

WHAT YOU GET FROM US

Success is what you make it. At SAP, we help you make it your own. A career at SAP can open many doors for you. If you’re searching for a company that’s dedicated to your ideas and individual growth, recognizes you for your unique contributions, fills you with a strong sense of purpose, and provides a fun, flexible and inclusive work environment – apply now.

SAP'S DIVERSITY COMMITMENT
To harness the power of innovation, SAP invests in the development of its diverse employees. We aspire to leverage the qualities and appreciate the unique competencies that each person brings to the company.

SAP is committed to the principles of Equal Employment Opportunity and to providing reasonable accommodations to applicants with physical and/or mental disabilities. If you are in need of accommodation or special assistance to navigate our website or to complete your application, please send an e-mail with your request to Recruiting Operations Team (Americas: Careers.NorthAmerica@sap.com or Careers.LatinAmerica@sap.com, APJ: Careers.APJ@sap.com, EMEA: Careers@sap.com).

Successful candidates might be required to undergo a background verification with an external vendor.

Additional Locations: Virtual - USA