About New York City Cyber Command
Mission. NYC Cyber Command leads the City’s cyber defense efforts, working across more than 100 agencies and offices to prevent, detect, respond, and recover from cyber threats. NYC3 protects NYC infrastructure and critical systems from malicious attacks and safeguards the data, devices, and services of the City.
Culture. Foremost, we serve the people of the City of New York, so earning - and keeping - their trust is paramount. To deserve that trust, we relentlessly focus on facts, provide sound judgment, and maintain a healthy culture. We pride ourselves on having a respectful and inclusive workplace built on kindness, honest intellectual debate, and excellent work.
Job Description
This position description is based on the National Initiative for Cybersecurity Education (NICE) Workforce Framework that categorizes and describes cybersecurity work across sectors using a consistent taxonomy and common lexicon. The Application Security Engineers work within Cyber Command and across City agencies to ensure compliance with cybersecurity policies and standards, and the best software and data security practices.
The ideal candidate will analyze the security of new or existing computer applications, software, or specialized utility programs and provides actionable results in collaboration with other members of the Software Security Team. Application Security Engineers lead the review, coordination and conduct of the Software Security Assurance Process and ensure that Software Security Assurance Process follow up tasks are executed by agencies and that appropriate risk management strategies are undertaken by application owners. The candidate will be assisting SME resources with software security challenges and advising on code remediation techniques
Minimum Skills
● 5 years of experience in software security
● Knowledge of Data Privacy Impact Assessments.
● Knowledge of web/non-web/native mobile software programming technologies (Java, C#, java script, HTML and etc) structures and logic.
● Knowledge of relational databases, web applications and services
- Knowledge of web/non-web/native mobile system and application security threats and vulnerabilities (e.g., buffer overflow, cross-site scripting, code injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
Skills in conducting software vulnerability scans (DAST, SAST and etc) and recognizing vulnerabilities in security systemsTooling: IBM AppScan, Qualys, Veracode, WebInspect, Burp Suite, Postman
Preferred Skills
- Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org).
- Knowledge of software debugging principles.
- Skills in designing application and infrastructure countermeasures to identified security risks.
- Skills in developing and applying security system access controls, PKI and cryptography.
- Skill in using code analysis tools.
- Skill in performing root cause analysis.
- Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
Qualification Requirements
1. A baccalaureate degree from an accredited college and four years of satisfactory full‐time experience related to projects and policies required by the particular position; or,
2. Education and/or experience which is equivalent to ʺ1ʺ above.