Description
SberTech invites an Application Security Expert/Specialist to join its team within the Development Security (Cybersecurity) department. Our team, in close collaboration with other SberTech production teams (architects, developers, testers, etc.), is directly involved in creating and developing an innovative product for the Russian and international markets - Platform V. This platform will help both internal and external users quickly and easily create and subsequently operate natively secure low-code applications.
Responsibilities
- verification of static and compositional analysis results (SAST, SCA) and monitoring the remediation of defects/vulnerabilities identified during the investigation
- verification of potential leaks of confidential information in code (passwords, API keys, etc.)
- in-depth analysis of vulnerabilities in supplied software based on consumer requests
- preparation of recommendations and provision of consultations for remediating identified vulnerabilities
- development of SSDLC practices and methodology, piloting tools, maintaining an internal knowledge base
- participation in the elaboration and implementation of secure software development lifecycle (SSDLC) practices, performing work to assess the compliance of the Company's processes with the requirements of the GOST series on Secure Software Development (GOST R 56939-2024, GOST R 71207-2024, etc.);
- R&D - work on implementing AI for automating application security testing processes.
Requirements
- practical experience with Application Security tools (Checkmarx, PT AI, Svace, Solar AppScreener, SonarQube, Semgrep, CodeScoring, OWASP Dependency-Track, Trivy, Gitleaks, TruffleHog, etc.)
- experience working with SBOM files and manifest files (such as package.json, poetry.lock, Dockerfile, etc.)
- experience in analytical assessment of the applicability of common CVE vulnerabilities to applications, considering architectural specifics
- in-depth understanding of security threats/vulnerabilities per OWASP Top 10 and mitigation methods
- knowledge of network technologies and protocols (API, OAuth, OIDC, HTTP/HTTPS, DNS, SSH, WebSocket, FTP, SMTP, etc.)
- knowledge of virtualization and containerization technologies, basics of cryptography, as well as protocols and technologies (JWT, SSL/TLS, HMAC, PKI)
- knowledge of the Russian FSTEC regulatory framework (Methodology for identifying vulnerabilities and undeclared capabilities, GOST R 56939-2024, GOST R 71207-2024, etc.).
Will be an advantage:
- experience in supporting (or conducting) certification testing of security tools under the Russian FSTEC or experience auditing Company processes for compliance with the GOST series on Secure Software Development;
- successful experience in implementing AI for automating application security testing processes;
- experience as a software developer
- skills in working with generative AI models; experience in creating AI agents and using them in work will be an advantage
- experience in using GigaChat, Kandinsky, and similar tools in products, skills in creating and using AI agents.
Conditions
- hybrid work format
- annual bonus and yearly salary review
- status of an accredited IT company with all associated benefits
- extended voluntary health insurance from day one and preferential family insurance
- Sber corporate university, internal educational platform, participation in IT conferences
- office with a view of the embankment, relaxation areas, and a gym
- flexible mortgage discount equal to 1/3 of the Central Bank key rate
- SberPrime+ subscription, discounts from partners and services of the group of companies.
