Application Security Engineer

We are investing heavily in the future of our organisation, our technology and, most importantly, our teams. At TAL you will be part of the Cyber Security team, which looks after the end-to-end security.

We are seeking an experienced Application Security Engineer to enhance our security posture by integrating security practices into our software development lifecycle. The ideal candidate will collaborate closely with product development teams to identify, analyse, and mitigate security vulnerabilities in our applications and services.
As an Application Security Engineer at TAL, you will be responsible for ensuring the security of our applications by implementing and maintaining robust security measures, and ensure applications are onboarded to Application Security tools and continuous integration of Application Security plug-ins in CI/CD pipeline.

You will work closely with development teams to identify, mitigate and risk assess security vulnerabilities throughout the software development lifecycle. You will also foster security awareness and security culture, providing security training to development teams.
You will collaborate with Business, Risk and Cyber and other stakeholders to understand business requirements and translate them into technical solutions while improving application security and compliance of the products.

Key Accountabilities:

• Security Guidance: Drive Application Security strategy across Enterprise and provide timely support and education to
development teams on application security best practices, including secure coding techniques and the use of security
tools.
• Security Integration: Work with product development teams to design and implement secure solutions, ensuring
adherence to secure coding practices throughout the software development lifecycle (SDLC), onboard applications to
application security tools and integrate Application Security plug-ins with CI/CD pipeline so the security issues are
identified during the coding stage.
• Vulnerability Management: Identify, analyse, and remediate vulnerabilities identified through Application Security tools,
regular security assessments, penetration testing, and code reviews.
• Threat Modelling: Lead application threat modelling sessions and application architecture reviews to proactively identify
and address security threats and conduct security assessments on applications to identify and remediate vulnerabilities.
• Application Security Tools Management: Evaluate, recommend, and manage Application Security tools and
technologies including related policies and procedures that enhance application security, including static and dynamic
analysis tools. Execute planned and ad-hoc security scans of software applications and interpret results for development
teams.
• Documentation and Reporting: Maintain comprehensive documentation of application security processes and controls,
security vulnerabilities, risk assessments, and remediation plans. Prepare security metrics and reports for stakeholders.
• Collaboration: Collaborate with product development teams, Cyber and other stakeholder for incident response, threat
detection, and forensics teams to address security incidents and improve overall security posture.
• Training and Awareness: Develop and deliver security training programs for developers and other stakeholders to
foster a security-first culture.
• Organisation Knowledge: Ascertain a holistic understanding of TAL’s systems, products, applications, development
workloads and lifecycles as well as current TAL policies, standards and processes.
• Vendor Management: Work with vendors to tailor application security tools to fit TAL workloads and improve policies
and processes currently in place.
• Development: Ensure required training and development is undertaken in a timely manner and keep up to date with the
latest industry trends in cyber security including what technologies and controls may be the best fit for certain solution
requirements with an emphasis on security.

Requirements

• A relevant tertiary qualification, preferably a Bachelor’s degree in Computer Science, Information Technology or equivalent.
• Minimum of 3 years in application security, software development, or a related IT role, with a strong focus on security practices including development, secure coding and vulnerability management, threat modelling and secure architecture.
• Experience in Static Application Security Testing (SAST) tools such as Checkmarx, Snyk, Synopsys, etc., Software Composition Analysis (SCA) tools such as Snyk, Blackduck, Sonatype etc, and Dynamic Application Security Testing (DAST) tools such as Checkmarks and Veracode and understanding of how to integrate them into CI/CD pipelines.
• Working knowledge in Azure Cloud and associated technologies including but not limited Azure DevOps, Microsoft Defender for Cloud, Azure Policies and Compliance frameworks, WAF, Firewalls and Entra ID.
• Hands-on development experience in programming languages such as .NET and Java.
• Experience in automation using scripting languages such as Powershell, JavaScript and Python.
• Knowledge and experience in web application security including the ability to interpret associated security risks and vulnerabilities such as OWASP Top10
• Strong understanding of application security standards (OWASP ASVS, NIST SP 800-218, etc.) and secure coding
guidelines.
• Experience with security testing methodologies, including penetration testing, vulnerability assessments and remediation.
• Experience with Agile development methodologies with working knowledge in products such as Jira.
• Fundamental knowledge of microservice architecture (Containerisation, Docker and Kubernetes)
• Experience or knowledge in writing and deploying Infrastructure as Code (IaC), preferably experience in Terraform.
• Knowledge of regulatory and industry standards and frameworks, APRA CPS234, ASD8, CIS 20, NIST CSF and MITRE
Attack.
• Relevant certifications (CEH, OSWE, OSCP, CASE, AZ-500, etc.) are preferred but not mandatory.
• Strong analytical and problem-solving skills, with the ability to communicate complex security concepts to non-technical stakeholders.
• Excellent written and verbal communication skills, interpersonal and collaborative skills.
• Ability to deal with ambiguity and work independently with limited direction in a fast-paced environment.
• Penetration testing experience preferred but not mandatory
• Passionate about security, with an intention to always excel and self-driven to develop technical and professional skills.