About HP

At HP, talent is our criteria. Join us in reinventing the standard for diversity and inclusion. Bring your awesomeness, and just be you!

We’re reinventing technology to make life better for everyone, everywhere around the globe.  From Personal Systems to Print, we’re engineering experiences that amaze.  HP Global Digital Support is transforming the way our customers access support, from on demand tools to our AI Bot, access to support and services are at our customers fingertips.

Join our team and share the vision.

Job Description

At HP, security is our priority and delivering exception customer experience that is safe and secure is what we do within the HP Customer Experience + Digital team.  We’re looking for an experience cybersecurity engineer with hands on expertise in applications security.  You will be responsible for defining and administering consistent software development lifecycles that expands our current security practices throughout the planning and delivery phases that mitigates our solutions security risk.

The successful candidate is passionate about security with very deep understanding of OWASP, CWE 25, Data Protection, Access management software vulnerabilities, seasoned in implementing best practices design and threat modeling and can work in a dynamic environment. You will perform penetration testing and provide recommendations to developers on mitigations for all our client based support solutions including HP Support Assistant (MS Windows/Mobile versions), our gateway for supportability web services and our virtual bot service.  You will primarily interface with software developers, partners and HP Global Cyber Security in producing secure code in short time frames.

Duties and Responsibilities

• Work as part of a team of software and security engineers to design/maintain and build best-in-class product security tools and services
• Work closely with DevOps to verify and respect best practices and security requirements
• Drive security audits for solutions portfolio and engage w/ respective team members to ensure compliance
• Technical point of contact for product teams as it relates to Product Application Security Operations
• Analyzes vulnerabilities, attacks or threats to determine risk, adversary intent, and prioritize mitigation or response.
• Owns resolution of HP security issues related to security vulnerabilities, incidents and threats.
• Recommends containment, eradication, and recovery measures for any observed attack or breach. Combines industry expertise with a thorough understanding of information and security technology to direct development of vulnerability remediation or mitigation plans.
• Build tools and automation scripts that enable developers to easily consume security services delivered by Global Cyber Security, Security Engineering and Automation team
• Responsible for security product QA and Testing (Penetration Testing, Veracode etc…)
• Build strong relationships with product development teams
• Understand existing processes and identifying how to improve and streamline them in order to improve team efficiency and effectiveness
• Lead solutions security architecture reviews in collaboration with the assets team.
• Provide recommendations, code review on implementation from a security perspective that minimizes attack surface
• Provide technical guidance and educate team members and coworkers on security practices in development and operations
• Brainstorm for new ideas and ways to improvement security in our delivery
• Document and design various processes; update existing processes related to security
• Follow all best practices and procedures as established by company’s Global Cyber Security Team

• Knowledge and skills – required:
• 10+ years of applications/web security experience
• Bachelor degree in Computer Science or related field and 2-4  years of Software Development Experience 
• 2-3 Years of Experience in Web Application Security, SSDLC and Threat Modelling
• Hands on experience with Software Development Java / C# / C++, JavaScript and HTML, 
• MUST have deep understanding of OWASP Top 10 and CWE 25; with proven track record and experience in implementing and integrating remediation strategies
• Excellent understanding of web applications, web servers, layer 7 application technologies, frameworks and protocols with respect to application development and deployment
• Well versed in web application design, penetration testing, application risk assessment and risk categorization
• Well versed (experience preferred) with driving and implementing secure development practices in to SDLC (SSDLC); ability to successfully integrate security into a developers world
• Success in implementing effective Secure SDLC frameworks across a large corporation.
• Experience in managing application security testing tools like SAST, DAST and Open Source Vulnerability Scanning 
• Ability to effectively present and communicate security threats and risks to ANY audience and impress upon them the mitigation techniques and strategies
• Deep knowledge and experience in using SAST, DAST and fuzz testing tools
• Highly effective communicator; well-honed influencing and negotiating skills
• Solid problem solving and analytical skills; able to quickly digest any issue/problem encountered and recommend an appropriate solution.
• Self-motivated; able to work independently; able to negotiate and bring consensus to diverse priorities of product development and solution teams

Knowledge and skills – nice to have:

• MS degree in Information System management / Computer Science / Information Security or a related technical discipline
• Technical Cyber Security Certification through one of the recognized bodies preferred: SANS, ISACA, (ICS)2, CompTIA, Cisco, CERT etc.
• Experience with VisualStudioOnline/VisualStudioTeamServices
• AWS services (API GW, VPC, SQS, Lambda, CloudFront, Kinesis)
• Azure services (Compute, Storage, Security)
• Experience with SoapUI, Selenium, Appium, or other testing frameworks
• Agile/Scrum/DevOps methodologies 
• Candidates should be familiar with waterfall and agile development processes and have experience integrating secure development practices into both models.