Senior Application Security Engineer

Job ID: 732030

Location: Brooklyn, NY

Salary Range: $75,000 - $165,000

Division: NYC Cyber Command

Summary

The Senior Application Security Engineer at NYC Cyber Command plays a pivotal role in safeguarding the city's digital infrastructure by identifying and mitigating security risks in software applications.

Job Description

The Office of Technology and Innovation (OTI) leverages technology to drive opportunity, improve public safety, and help government run better across New York City. From delivering affordable broadband to protecting against cybersecurity threats and building digital government services, OTI is at the forefront of how the City delivers for New Yorkers in the 21st century. Watch our welcome video to see our work in action, follow us on social media @NYCOfficeofTech, and visit oti.nyc.gov to learn more.

At OTI, we offer great benefits, and the chance to work on projects that have a meaningful impact on millions of people. You'll have the opportunity to work with cutting-edge technology and collaborate with other passionate professionals who share your drive and commitment to making a difference through technology.

About New York City Cyber Command

Cyber Command is charged with protecting all City systems against cyber threats, including systems that deliver vital services to New Yorkers. Headed by the Chief Information Security Officer of the City of New York, we provide in-depth support to over 100 agencies and offices to protect, detect, identify, respond to, and recover from cyber threats.

The Senior Application Security Engineer at NYC Cyber Command plays a pivotal role in safeguarding the city's digital infrastructure by identifying and mitigating security risks in software applications. Reporting to the Application Security Director, this role involves conducting in-depth security assessments using methodologies like SAST, DAST, and IAST to uncover vulnerabilities in citywide applications. The engineer will oversee the Software Security Assurance Program (SSAP) to ensure compliance with security standards across all city agencies, including cloud-based applications. Responsibilities also include developing and enforcing secure coding practices, managing the use of Software Composition Analysis (SCA) tools, and collaborating with cross-functional teams to implement security requirements effectively. This position is critical in protecting sensitive data, guiding development teams on security principles, and staying ahead of emerging cybersecurity threats. The Senior Application Security Engineer will also mentor junior team members and contribute to the continuous improvement of the city’s application security posture.

Responsibilities will include:

• Conduct and oversee security assessments, including SAST, DAST, and IAST, to identify vulnerabilities in citywide applications and software systems.
• Develop and enforce application security standards, guidelines, and best practices across all city agencies to ensure a secure development lifecycle.
• Evaluate security risks associated with software applications and prioritize remediation efforts to mitigate potential threats.
• Manage the Software Security Assurance Program (SSAP) to ensure that all software applications meet security standards before deployment.
• Oversee the use of Software Composition Analysis (SCA) tools to identify and manage vulnerabilities in open-source and third-party components used in city applications.
• Act as a liaison between cybersecurity teams, software developers, and other stakeholders to ensure security requirements are understood and implemented effectively.
• Perform security assessments of cloud vendors and services, ensuring that cloud-based applications meet NYC3’s security requirements.
• Provide guidance and training to development teams on secure coding practices and application security principles.
• Contribute to the development and implementation of security policies, procedures, and standards to protect the city’s digital infrastructure.
• Stay up to date with the latest cybersecurity threats, vulnerabilities, and technologies to enhance the security of the city’s applications.
• Mentor junior security engineers and developers on security practices and tools to build a stronger, more knowledgeable team.
• Lead or participate in security-related projects, ensuring timely and effective delivery of security solutions.
• Ensure that application security practices comply with relevant regulations, standards, and guidelines (e.g., NIST, OWASP).
• Handle special projects and initiatives as assigned.

Minimum Qualifications:

A baccalaureate degree from an accredited college and four years of satisfactory full-time experience related to projects and policies required by the particular position; OR

Education and/or experience which is equivalent to "1" above.

Preferred Skills:

• The preferred candidate should possess the following:
• Bachelor’s degrees in computer science or information systems or equivalent experience.
• 8 years of experience in software development and security
• Familiarity with programming technologies and logical structures used in web, non-web, native, and mobile software development, including languages like Java, C#, JavaScript, HTML, and others.
• Knowledge of relational databases, web applications and services
• Strong understanding of application security principles, including secure coding practices, threat modeling, and vulnerability management.
• Experience with security testing methodologies such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).
• Knowledge of Software Composition Analysis (SCA) tools and practices to identify and manage open-source components and their associated risks.
• Ability to evaluate security risks in software applications and prioritize remediation efforts based on potential impact.
• Experience integrating security practices into the software development lifecycle, including code reviews, security testing, and continuous integration/continuous deployment (CI/CD) pipelines.
• Understanding of securing applications in cloud environments (e.g., AWS, Azure, Google Cloud) and familiarity with cloud security best practices.
• Proficiency in one or more programming languages (e.g., Java, Python, JavaScript, C#) to understand and review code from a security perspective.
• Experience with DevSecOps practices, including automation of security tasks in CI/CD pipelines and collaboration with development teams.
• Familiarity with relevant security standards and regulations (e.g., OWASP, NIST, HIPAA) and how they apply to application security.
• Experience with a variety of security tools, such as vulnerability scanners, SAST/DAST tools, and application firewalls (WAF).
• Strong problem-solving skills and the ability to think analytically when addressing security challenges.
• Ability to clearly communicate security issues and risks to both technical and non-technical stakeholders.
• A commitment to staying updated with the latest trends, vulnerabilities, and tools in the application security field.
• Relevant certifications such as Certified Ethical Hacker (CEH), GIAC Web Application Penetration Tester (GWAPT) are a plus.

To Apply:  Please go to www.cityjobs.nyc.gov and search for Job ID #732030

** Interested applicants with other civil service titles who meet the preferred requirements should also submit a resume for consideration

Additional Information

The City of New York is an inclusive equal opportunity employer committed to recruiting and retaining a diverse workforce and providing a work environment that is free from discrimination and harassment based upon any legally protected status or protected characteristic, including but not limited to an individual's sex, race, color, ethnicity, national origin, age, religion, disability, sexual orientation, veteran status, gender identity, or pregnancy.

OTI participates in E-Verify