**Introduction** Application Security Engineers play a critical role in protecting applications from vulnerabilities and attacks, ensuring the confidentiality, integrity, and availability of sensitive data. Their responsibilities span across the entire software development lifecycle, requiring a blend of technical skills, security expertise, and interpersonal abilities. **Your role and responsibilities** * Secure Software Development: Work closely with developers to incorporate security into the software development lifecycle (SDLC), promoting secure coding practices and conducting code reviews. * Vulnerability Assessment: Regularly perform vulnerability assessments and penetration testing to identify weaknesses in applications and suggest improvements. * Threat Modeling: Develop and maintain threat models to anticipate potential security threats and design appropriate countermeasures. * Security Tool Implementation: Select, deploy, and manage security tools for static and dynamic application security testing (SAST and DAST), such as Fortify, SonarQube, or OWASP ZAP. * Security Compliance: Ensure that applications meet relevant security standards and regulations, like OWASP Top Ten, HIPAA, or GDPR. * Security Training and Awareness: Design and deliver training programs to educate developers and other stakeholders on secure coding practices and application security best practices. * Incident Response: Participate in responding to application security incidents, working with the broader security team to contain, mitigate, and recover from breaches. * Security Documentation: Maintain accurate and up-to-date security documentation, including security requirements, design specifications, and testing results. * Collaboration: Work closely with development, QA, and other IT teams to integrate security considerations into all stages of application development and deployment. * Research and Development: Stay current with new security threats, vulnerabilities, and mitigation techniques, and evaluate emerging security technologies for potential application. * Risk Management: Identify, analyze, and prioritize application security risks, and propose appropriate risk mitigation strategies. * Third-Party Security: Evaluate and oversee the security of third-party libraries, components, and services used in applications. * Policy Development: Contribute to the development and maintenance of organizational application security policies and procedures. * Continuous Improvement: Regularly review and refine application security practices, tools, and processes to maintain effectiveness and efficiency. * Professional Certifications: Pursuit of relevant professional certifications, like Certified Information Systems Security Professional (CISSP), Certified Software Security Engineer (CSSLP), or Offensive Security Certified Professional (OSCP), can enhance expertise and credibility. **Required technical and professional expertise** * Architecture / Solution Reviews * Threat Modelling * Access Model / PAM Reviews * System Configuration Reviews * ITPF Conformance Assessment * Secure Coding Practices * Web Interface or API Security Review * SAST / DAST Scans * Pentest * IaC Scanning * Secrets Scanning * Logging and Monitoring Review * BR and DR Assessment IBM is committed to creating a diverse environment and is proud to be an equal-opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, gender, gender identity or expression, sexual orientation, national origin, caste, genetics, pregnancy, disability, neurodivergence, age, veteran status, or other characteristics. IBM is also committed to compliance with all fair employment practices regarding citizenship and immigration status.