Application Security Engineer (m/f/d)

About us

The Spryker Systems GmbH is a fast-growing technology company, offering leading manufacturers, brands and sellers of all industries a flexible commerce solution along all customer facing touchpoints. From online shop and mobile to voice, chat bot, blockchain and IoT use cases. Our modern offices are located in the German digital metropolis Berlin and Hamburg.
The international Spryker team is constantly working with new exciting customers, technologies and innovative approaches and is looking for talented employees, to join us revolutionizing the digital commerce world.

In a Nutshell

Do you care about security above all and are passionate about fostering strong security culture? Do you think like an attacker and anticipate how they might exploit weaknesses, adapt quickly, and find creative ways to implement security in a fast-paced environment?

Spryker is seeking an Application Security Engineer. As a key member of the team, you will be involved in improving security testing in our CI/CD pipeline but may also be called upon to drive engineering efforts for other programmatic areas like data protection, security logging, Spryker platform security architecture, and incident response.

Join our team and help us revolutionize the world of commerce & tackle diverse projects!

Your challenges

  • Participates in security projects and provides expert guidance on security matters for other IT projects
  • Implement a software assurance model designed to address security defects early in the delivery pipeline
  • Perform security architecture design reviews for new features and product releases
  • Perform code reviews and advise developers on remediation techniques
  • Be an advocate for secure coding practices across all engineering teams
  • Facilitate internal training on various security topics to raise awareness and interest
  • Manage external- and perform your own- penetration tests, and lead remediation projects to enhance existing security features
  • Improving the Secure Software Development Lifecycle, working with and keeping development teams up to date with secure coding practices
  • Create documentation and presentations for security champions on the development team

Your profile

  • Bachelor/Master’s Degree in Computer Science or an equivalent degree and a minimum of 5 years in cybersecurity and application development
  • Experience with BlackBox and WhiteBox security testing, vulnerability scanning, and penetration testing with experience providing remediation techniques
  • Experience in Security Engineering, Threat Modelling, and Security Code Review
  • Deep knowledge of common web application vulnerabilities (e.g. Injection Attacks, XSS, CSRF, etc.) and their mitigation strategies
  • Experience in developing web applications in PHP and Python
  • Experience with standards and methodologies OWASP, PTES
  • Experience with security assessment tools like Burp Suite, OWASP ZAP, etc.
  • Experience with secure coding practices and automating security checks in pipelines
  • You have the ability to exploit security flaws on web applications and APIs manually
  • Hands-on experience implementing and tuning SAST/DAST
  • You enjoy interacting with people from different teams to get the job done
  • You have an interest or are already involved and contributing to the community, either with code or attending/giving talks at meetups, conferences, or being a mentor
Bonus points for:

  • Experience with AWS cloud technology, cloud security best practices
  • Experience in OWASP ASVS Implementation and verification
  • Experience with OWASP Software Assurance Maturity Model (OSAMM)
  • Good understanding of containerisation technology such as Docker and Kubernetes
  • Experience in deploying hardened configurations using orchestration tools
  • Industry recognised certifications: OSCP, CEH, CASE, GWAPT, GPEN
  • Bug bounty program participation or open-source vulnerability research