Job Details

Senior AppSec Engineer at WMX. Location: Moscow. Salary to be discussed at the interview.

Dive into the architecture, business logic, and technology stack of the company's products, acting as an expert on application security issues; Conduct security assessments of applications and services at the design, development, and maintenance stages; Identify vulnerabilities and business logic flaws, propose solutions, and oversee their implementation; Perform threat modeling for new and existing systems, assess risks, and define protection measures; Conduct security architecture reviews, formulate recommendations for secure architecture, and oversee their implementation; Organize and develop Secure SDLC / DevSecOps practices and processes, shape the AppSec development strategy, coordinate product protection, and represent the area in interactions with management, auditors, and regulators; Select, implement, and develop code and application protection tools, integrating them into CI/CD and development processes; Organize and improve vulnerability management processes, prioritization, and control of security flaw remediation; Develop regulatory, methodological, and working documentation for secure development; Translate regulatory and compliance requirements into specific technical measures and requirements for products and processes; Participate in audits, inspections, certification activities, and security incident investigations as needed; Interact with development teams, DevOps, architects, product teams, and other stakeholders.

Senior-level experience in AppSec / Product Security / DevSecOps; Deep understanding of application architecture, APIs, microservices, and typical security risks of modern systems; Good knowledge of OWASP Top 10, OWASP API Top 10, CWE, and practical experience applying this knowledge; Experience in business logic security assessment, Security by Design, and architecture reviews; Practical experience with threat modeling using STRIDE, PASTA, Attack Trees, or similar approaches; Experience with SAST, DAST, SCA, fuzzing, and other AppSec tools, understanding their limitations and use cases; Experience implementing and developing Secure SDLC / DevSecOps processes and integrating security checks into CI/CD; Experience building vulnerability management processes and collaborating with development teams on their remediation; Knowledge of FSTEC requirements, 152-FZ, and other applicable regulatory requirements for secure software development; Experience preparing documentation, participating in audits, inspections, and certification events; Programming skills in Python, Go, Ruby, or similar languages for automation and development of internal AppSec tools; Practical experience with Linux, Git, GitLab, Docker, Kubernetes, Terraform/Ansible, Vault, cloud, and network infrastructure will be an advantage; Experience in configuring logging, analyzing security events, and participating in security incident investigations; Ability to clearly communicate risks, recommendations, and justifications to technical and non-technical teams.