JOB SUMMARY:
Serve as a security advisor and technical expert to the company’s digital solutions. Performs application source code reviews, vulnerability testing and threat assessments. Leverages advanced tools, methods, and approaches to demonstrate weaknesses in applications. Responsible for assuring developers and technical personnel address application security issues in a timely fashion. Will routinely collaborate with various function teams as APAC digital team, HQ mobile team, legal team, IT team etc. and different security team members including, but not limited to architecture, vulnerability management, compliance, and incident response. This role will be based in China, as a member of APAC information security team, dual report into HQ Application Security team
CANDIDATE PROFILE
Education and Experience
Required:
- Based in Shanghai or willingness to relocate to our Shanghai Office
- 5+ years progressive experience in related fields such as mobile security, web application security, security coding, security design, threat analysis,
- Full understanding of common OWASP flagship projects, ASVS, Top 10, Cheat Sheets. etc.
- Thorough understanding of common application security controls such as WAF, RASP, Intercepting Proxies
- Hands on experience in penetration testing on in-house developed software and secure software development life cycle (S-SDLC), familiar with scanning tools like Nessus, Tenable, BD and scanning mythologies such as SAST, DAST
- Proficient in at least one high level programming language (e.g., Java, C++, Go, PHP, Ruby, Perl)
- Proficient in JavaScript and at least one JavaScript framework (e.g., Angular, React, Vue)
- Hands on experience in China mobile regulation compliance remediation, e.g. vulnerability scanning and remediation of mobile app based on requirements of App Stores and regulators
- Bi-lingual capabilities, including a proficiency in reading, writing, and speaking English
Preferred:
- Experience in working with cross region team structure, e.g. with US
- Familiar with regulated regulation such as China cyber security law, Personal information Protection Law etc.
- Industry certifications such as Certified Secure Lifecycle Professional (CSSLP), Offensive Security Web Expert (OSWE), GIAC Web Application Penetration Tester (GWAPT), Certified Application Security Engineer (CASE)
- Knowledge of hospitality culture and technology’s role in enabling the business
Key Stakeholders
- Legal
- Digital
- IT
- Global Information Security
- Other roles involved in data and system protection
CORE WORK ACTIVITIES
Security Assessments
- Conduct application security activities in the standard Security Accreditation process for APAC projects/assets
- Evaluates applications for security flaws by performing fuzzing, access/authorization bypass, business logic abuse and intentional fault injection for APAC region.
- Uses Static and Dynamic Analysis tools to support broad testing and vulnerability discovery for APAC assets.
- Works with other security team members to research and test for complex security issues.
- Creates and/or maintains threat models to communicate risks to engineers, project managers and other technical personnel.
- Ensures applications are built according to enterprise security standards.
- Be a subject-matter expert (SME), help APAC development teams with their security needs
Source Code Reviews
- Works with APAC development teams to review application source code for security and operational risks.
- Perform manual code reviews of applications that are not compatible with automated SAST tools.
- Provide guidance and recommendation to software architects and engineers on how to correct code related security flaws
China Mobile App compliance assurance
- Works with APAC digital team, HQ mobile team, legal team to assure the China Mobile App is compliant with China regulatory security & privacy requirements
- Perform necessary scans and manual test to identify privacy risks before release
- Work with APAC digital team, HQ mobile team, legal team to remediate the risks
- Ensure China regulatory requirements are captured and embedded to existing S-SDLC framework
Administrative
- Manage tickets and SLAs associated with security testing efforts for APAC assets.
