Description

SberTech invites an Application Security Expert/Specialist to join its Development Security (Cybersecurity) department. Our team, in close collaboration with other SberTech production teams (architects, developers, testers, etc.), is directly involved in creating and developing an innovative product for the Russian and international markets - Platform V, which will help both internal and external users quickly and easily create and subsequently operate natively secure low-code applications.

Responsibilities

Responsibilities

• verification of static and compositional analysis (SAST, SCA) results and monitoring the remediation of identified defects/vulnerabilities
• verification of potential leaks of confidential information in code (passwords, API keys, etc.)
• in-depth analysis of vulnerabilities in delivered software based on requests from consumers
• preparation of recommendations and providing consultations on remediating identified vulnerabilities
• development of SSDLC practices and methodology, piloting tools, maintaining internal knowledge base
• participation in the development and implementation of secure software development practices (SSDP), performing work to assess the compliance of the Company's processes with the requirements of the GOST series Secure Software Development (GOST R 56939-2024, GOST R 71207-2024, etc.);
• R&D - work on implementing AI for automating application security testing processes.

Requirements

Requirements

• practical experience with Application Security tools (Checkmarx, PT AI, Svace, Solar AppScreener, SonarQube, Semgrep, CodeScoring, OWASP Dependency-Track, Trivy, Gitleaks, TruffleHog, etc.)
• experience working with SBOM files and manifest files (such as package.json, poetry.lock, Dockerfile, etc.)
• experience in analytical assessment of the applicability of well-known CVE vulnerabilities to applications considering architectural features
• in-depth understanding of security threats/vulnerabilities according to OWASP Top 10 and methods of protection against them
• knowledge of network technologies and protocols (API, OAuth, OIDC, HTTP/HTTPS, DNS, SSH, WebSocket, FTP, SMTP, etc.)
• knowledge of virtualization and containerization technologies, cryptography fundamentals, as well as protocols and technologies (JWT, SSL/TLS, HMAC, PKI)
• knowledge of the regulatory framework of the FSTEC of Russia (Methodology for detecting vulnerabilities and undeclared capabilities, GOST R 56939-2024, GOST R 71207-2024, etc.).

Will be an advantage:

• experience supporting (or conducting) certification tests of information security tools through the FSTEC of Russia or experience auditing Company processes for compliance with the GOST series Secure Software Development requirements;
• successful experience in implementing AI for automating application security testing processes;
• experience as a software developer
• skills in working with generative AI models; experience creating and using AI agents in work will be an advantage
• experience using GigaChat, Kandinsky and similar products, skills in creating and using AI agents.

Conditions

Conditions

• hybrid work format
• annual bonus and annual salary review
• status of an accredited IT company with all benefits
• extended corporate health insurance from day one and preferential family insurance
• Sber Corporate University, internal educational platform, participation in IT conferences
• office with a view of the embankment, relaxation areas, and a gym
• flexible mortgage discount equal to 1/3 of the Central Bank's key rate
• SberPrime+ subscription, discounts from partners and group company services.