Description

We are looking for an Information Security Specialist (Application Security) to join our Cybersecurity Center team.

Responsibilities

• verification of static and compositional analysis results (SAST, SCA) and monitoring the remediation of defects/vulnerabilities identified during research
• verification of potential confidential information leaks in code (passwords, API keys, etc.)
• in-depth analysis of vulnerabilities in supplied software based on requests from consumers
• preparation of recommendations and provision of consultations on remediating identified vulnerabilities
• development of SSDLC practices and methodology, piloting tools, maintaining an internal knowledge base
• participation in elaborating and implementing secure software development practices (SSDP), performing work to assess the compliance of Company processes with the requirements of GOST series on Secure Software Development (GOST R 56939-2024, GOST R 71207-2024, etc.)
• R&D - work on implementing AI to automate application security testing processes.

Requirements

• practical experience with Application Security tools (Checkmarx, PT AI, Svace, Solar AppScreener, SonarQube, Semgrep, CodeScoring, OWASP Dependency-Track, Trivy, Gitleaks, TruffleHog, etc.)
• experience working with SBOM files and manifest files (such as package.json, poetry.lock, Dockerfile, etc.)
• experience in analytical assessment of the applicability of well-known CVE vulnerabilities to applications considering architectural specifics
• in-depth understanding of security threats/vulnerabilities per OWASP Top 10 and methods of protection against them
• knowledge of network technologies and protocols (API, OAuth, OIDC, HTTP/HTTPS, DNS, SSH, WebSocket, FTP, SMTP, etc.)
• knowledge of virtualization and containerization technologies, fundamentals of cryptography, as well as protocols and technologies (JWT, SSL/TLS, HMAC, PKI)
• knowledge of Russian FSTEC regulatory framework (Methodology for detecting vulnerabilities and undeclared capabilities, GOST R 56939-2024, GOST R 71207-2024, etc.).

Will be an advantage:

• experience in supporting (or conducting) certification tests for security tools per Russian FSTEC line or experience auditing Company processes against the requirements of GOST series on Secure Software Development
• successful experience in implementing AI for automating application security testing processes
• experience as a software developer.

Conditions

• comfortable modern office near Tulskaya metro station
• opportunity to choose a convenient schedule – office/hybrid
• annual salary review, annual bonus
• corporate gym and relaxation areas
• more than 400 educational programs from SberUniversity for professional and career development
• IT Bootcamp adaptation program
• extended voluntary health insurance, preferential insurance for family and corporate pension program
• mortgage for employees more profitable by up to 4%
• free SberPrime+ subscription, discounts on products from partner companies.