Role Overview Client is seeking an Application Security Expert. The primary work is developing security features for our client’s enterprise digital commerce software alongside teammates who share the same goal. While the role is focused on writing code, it also involves as much or as little design, test or lead responsibilities as appropriate for your preferences, abilities and project needs. Since the work is security focused, a successful candidate could expect to participate in or lead security development life cycle exercises such as threat modeling, source code analysis, penetration testing, etc. A successful candidate will be called upon to provide expert application security advice and general development advice to teammates and other teams as needed. There will also be opportunities to provide application security advice for large scale projects involving prominent tier-1 and tier-2 Internet and telecom companies. The software is service oriented and composed mostly of Java based REST and SOAP web services as well as RIA UI. The work spans many areas of application security for enterprise software, including lots of cryptography, key management, web service and UI authentication, authorization, PKI, TLS, credit card tokenization/PCI-DSS and more. The software runs on a tiered collection of virtualized Linux servers in both cloud and dedicated hosting environments. Major Responsibilities •Work with in an agile (scrum) development environment •Develop security and cryptography features for enterprise Java software with a focus on web services and web applications •Work with product managers, architects, and software development teams in the definition of security requirements •Define security testing and validation approaches •Participate in designing and building software security test infrastructure and tools •Educate software development teams on security principles and best practices •Participate in review of software design and implementation, work with software development teams on correcting issues •Assess compliance of software to security requirements •Contribute to documentation and best practices for the secure deployment and operation of Qpass software •Collaborate with the operational team to ensure compliance with customer security requirements •Communicate Digital Commerce policies, compliance, and status related to security requirements to both internal and external stakeholders •Work across departments in building and maintaining a security aware organization Requirements •Experience developing Java enterprise applications for Tomcat (or similar) on Linux/UNIX. •Experience with web development, especially Spring based REST and SOAP web services on top of JPA/Hibernate backed by MySQL and/or Oracle. •Extensive experience with cryptography using Java JCE. •Experience with authentication and authorization using JAAS/Spring Security for web applications. •Extensive experience with X.509 certificates, PKI and TLS. •Knowledge of OWASP Top 10 vulnerabilities and how to avoid or mitigate •Experience with one or more of the following: threat modeling, security code review, penetration testing. Preferred Skills: •Bash shell scripting experience. •Experience providing support and troubleshooting of your software in production. •Experience with PCI-DSS/PA-DSS. •Working knowledge of single sign-on and federated identity technologies. •Experience with RIA UI, especially GWT. •Experience working with certificate authority software •Experience using smart cards from Java applications •Experience administrating Linux systems, especially RedHat based systems •Experience with network and/or host based firewalls and load balancers. •Experience with using cloud environments such as Amazon EC2 or OpSource. •Experience with OS virtualization, especially VMware. •Experience with performance testing and profiling. This role requires strong verbal and written communications skills, position-appropriate mentoring/leadership abilities, ability to quickly master new systems and/or processes, capacity to stay organized while managing competing priorities, and a deep customer service orientation, both internally and externally.