Salesforce Applications Security Engineer

Salesforce Applications Security Engineer

Location: Virtual

Other Consideration: US Citizen

Job Summary:

We are seeking a skilled Lead Applications Security Engineer to manage and oversee security processes and initiatives related to our DevOps release tools and pipelines. This role will be focused on ensuring that security is integrated throughout the development lifecycle, including static code analysis and secure coding practices. The ideal candidate will have experience with DevOps release tools like Copado and Auto Rabbit’s CodeScan, and will work closely with developers to enable a "shift-left" security approach—empowering teams to identify and resolve security vulnerabilities early in the development process.

Key Responsibilities:

• Security for DevOps Release Tools: Lead security-related initiatives and manage security configurations for DevOps release tools like Copado and Auto Rabbit’s CodeScan. Ensure that security best practices are integrated into the release pipeline and deployment workflows.
• Static Code Analysis & Rule Setup: Manage static code analysis tools, configuring and fine-tuning CodeScan and similar tools to ensure optimal rule sets and security checks are in place for all development environments. Ensure the tools are properly set up to automatically detect vulnerabilities and compliance issues in source code.
• Shift-Left Security Integration: Collaborate with development teams to embed security practices early in the development process by shifting security left in the CI/CD pipeline. Enable proactive identification of vulnerabilities and help developers address issues before they reach production.
• Security Automation: Automate security checks and controls within the development lifecycle by implementing effective solutions for code scanning, vulnerability management, and remediation directly within the CI/CD pipeline.
• Rule Definition & Customization: Define and configure security rules in CodeScan and other static code analysis tools based on industry best practices and regulatory requirements. Work to optimize these rules for accuracy and effectiveness in identifying security vulnerabilities.
• Collaboration with Development & DevOps Teams: Work closely with development, DevOps, and security teams to ensure that security requirements are met across all stages of the software development lifecycle. Provide security guidance on best practices for secure coding, vulnerability detection, and remediation.
• Training & Awareness: Provide training and awareness to development teams about secure coding practices, tools, and techniques to help them avoid common vulnerabilities and implement secure coding practices from the beginning of development.
• Incident Response & Vulnerability Management: Lead efforts to investigate, track, and remediate security vulnerabilities identified by static code analysis or other security tools. Participate in incident response processes when security issues are detected.
• Reporting & Metrics: Develop and deliver security-related reports and metrics to leadership, highlighting the status of security vulnerabilities, compliance efforts, and overall progress on security initiatives in the DevOps pipeline.

Qualifications:

• Education & Experience:
  • Bachelor's degree in Computer Science, Information Security, or a related field (or equivalent experience).
  • 5+ years of experience in application security, with a focus on static code analysis, DevOps, and CI/CD pipeline security.
  • Proven experience working with DevOps release tools like Copado and Auto Rabbit’s CodeScan or similar tools for continuous security and code scanning.
  • Strong understanding of security principles and secure coding practices, as well as vulnerability management and remediation.
• Skills & Expertise:
  • Extensive experience in configuring and managing static code analysis tools such as CodeScan, SonarQube, Checkmarx, or similar platforms.
  • Strong experience with Copado, Auto Rabbit, or similar DevOps release management tools.
  • Familiarity with security standards, frameworks, and regulations such as OWASP Top 10, SANS, NIST, GDPR, PCI-DSS, etc.
  • Hands-on experience in integrating security tools with CI/CD pipelines and automation frameworks to facilitate a shift-left security approach.
  • Knowledge of application security testing techniques (SAST, DAST, IAST) and vulnerability management.
• Preferred:
  • Experience with cloud-based platforms (AWS, Salesforce GovCloud) and their security best practices.
  • Certifications in application security (e.g., Certified Information Systems Security Professional (CISSP), or related certifications).
  • Salesforce certified
  • Familiarity with container security (e.g., Docker, Kubernetes) and Infrastructure as Code (IaC) security.

Key Competencies:

• Technical Leadership: Strong leadership skills, with the ability to guide and mentor development and security teams to ensure the effective integration of security within the development lifecycle.
• Problem-Solving: Excellent analytical and troubleshooting skills, with the ability to quickly assess and address security vulnerabilities and configuration issues in code.
• Collaboration: Effective collaboration skills, with the ability to work closely with development, DevOps, and security teams to promote security awareness and drive initiatives that improve security posture.
• Communication: Strong verbal and written communication skills to report findings, share insights, and provide recommendations to both technical and non-technical stakeholders.
• Continuous Learning: A commitment to staying up-to-date with the latest security trends, vulnerabilities, and tools in the DevOps and application security space.

Transitioning military and/or Veterans with IT/IS, finance, and/or healthcare systems specialties are invited to apply. Sprezzatura is an equal opportunity employer and offers benefits including healthcare, vacation, and paid sick leave.

Company Description

Sprezzatura Management Consulting, LLC (www.sprezzmc.com) is a Washington, DC-area Service-Disabled Veteran-Owned Small Business (SDVOSB) that enables client success by supplying insight and leadership at the intersection of people, processes, and technology.