About the Position
Blackstone’s Application Security (AppSec) Team is responsible for empowering 250+ builders to set and meet security goals by identifying and managing software risks while balancing security with agility.
You will join an ambitious and talented team of security engineers that are responsible for evolving how Blackstone “does security” as it continues to move to modern and next-generation architectures.
The AppSec team partners with Developers to build secure services, and with Engineers to build security into foundational platforms that developers build on.
Together, we also empower members of the broader Cybersecurity team to take on their responsibilities within these new patterns.
- Assess the risk of web and RESTful applications deployed on cloud platforms through threat modeling, building attack trees, and occasionally penetration testing
- Communicate software vulnerabilities and mitigation options to stakeholders that balance business agility with security
- Partner with Developer teams to meet security objectives through training and integrating vendors or build your own solutions into software development processes
- Enable product owners to set security objectives that tie back to unique business requirements, not just industry standards or best practices
- Build efficient, resilient, and well-documented systems so the team can focus on the next challenge instead of operational overhead
- Establish policies & standards to guide builders to meet security requirements
- B.S. in Computer Science, Cybersecurity, Management Information Systems, Engineering, or related technology field
- 3-5 years of experience in Cybersecurity
- Developing in at least one software language, ideally Python but others are okay
- Using and implementing Application security tooling such as static analysis (SAST, dynamic analysis (DAST), software component analysis tools (SCA), and/or web application firewalls (WAF)
- Using and augmenting CI/CD tools and concepts to embed security into DevOps pipelines (DevSecOps)
- Building secure containerized applications running on Kubernetes
- Building and implementing solutions to detect compromised applications and/or application user accounts
- Using and HashiCorp Vault Enterprise (or another enterprise secrets management solution) to manage secrets at deployment and runtime
- Building in AWS and experience with essentials services such as IAM, CloudTrail, EC2, S3, DynamoDB, Lambda, Config and GuardDuty
- Building on Kubernetes and experience with essential services such as Pods, Services, Ingress, ConfigMaps and access controls
- Building with HashiCorp Terraform, especially creating modules for others to use
- Has managed their work using agile methodologies including sprints and story estimation
- Has a passion for excellence and growth – challenges the current state with opinions grounded in principles and experience, not just best practices
- Able to take-on challenges and propose solutions with minimal guidance