Security Engineer III

Responsibilities

• Partner with US teams to provide security guidance as a subject matter expert around application security and operate YUM! application security services for the brand.

• Aligning with a risk-based approach, collaborate with third-party engineers, and product owners to identify, prioritize, and remediate vulnerabilities in mobile and web applications across YUM! systems. These include e-commerce websites, e-commerce mobile apps, and restaurant operations apps.

• Leveraging established YUM! security services, review vulnerability scanner reports/results and work with application and/or engineering teams to communicate and address/remediate issues. This includes ensuring adherence to established remediation timelines, including recommending and monitoring remediation activities.

• Maintain the brand’s application security scan profiles and scan policies as per baseline standards across scanning tools for containers, SAST, DAST, and crowd sourced pen testing. This will include reviewing findings of security scans and onboarding new applications into scanning tools or services.

• Conduct awareness campaigns with engineering teams to ensure application development adheres to YUM! Global Technology Risk Management development standards.

• Continuously monitor published vulnerabilities for various applications, operating systems, and databases. Based on the publicly disclosed vulnerabilities determine the remediation priority and engage the stakeholders. Review the solution by re-scanning the disclosed vulnerabilities. (Familiar with OWASP Top 10, etc.)

• Conduct threat modeling exercises to identify potential risks at the design and architecture stages and provide guidance to development teams in secure design and best practices.

• Coordinate with incident response teams to contain, remediate, and perform root cause analysis on security incidents affecting applications.

Minimum Requirements:

• Bachelor's degree and at least 6-8 years of experience in cybersecurity and/or software development. Additional years of relevant cybersecurity or development experience may be considered in lieu of bachelor's degree.
• Experience with reviewing application cybersecurity vulnerabilities for risk and relevance as well as in vulnerability mitigations/remediation planning, for identified vulnerabilities
• Able to successfully communicate with technical personnel and third parties.
• Knowledge of continuous integration and continuous delivery platforms
• Familiarity with relevant compliance and data privacy regulations (e.g. PCI DSS, GDPR, CCPA) and how they impact application security with the ability to incorporate compliance requirements into security testing and remediation processes.
• Knowledge of common programming languages and paradigms ( OOP, functional, concurrent, etc)
• Knowledge of cloud environment topics including secrets management, infrastructure as code, and serverless technologies
• Knowledge of CI/CD techniques and build/deployment pipeline technologies
• Knowledge of application scanning tools using both dynamic and static techniques
• Knowledge of containers and container management tools (e.g. Docker, Kubernetes) including how to interpret and remediate security findings and best practices for securing container images and deployments.
• Knowledge of HTTP communication
• Knowledge of package management tools for languages and operating systems (e.g. npm, pip, apt, yum)

Preferred Requirements

Knowledge of package management tools for languages and operating systems (e.g. npm, pip, apt, yum)