"Alerted.org

Description

Sr. Professional Level FTE Position – Application Security Engineer

On-site requirement: 4 days on-site (all employees remote on Fridays) / Wawa’s Info Sec team is in their own building, so weekly schedule for the specific candidate should be discussed with and approved by Wawa manager.

Salary: $140,000-145,000 base salary

Bonus: 20k pro-rated annual bonus to hire date, which is higher than industry average. Additional bonus potential based on individual as well as company performance.

Employee stock program: (Wawa ESOP) starts vesting year 1 of employment and fully vested after 4 years.

Top Skills' Details1. 5+ years of experience in the application security engineering field with prior experience securing software.

2. Experience identifying and resolving security flaws in software code, and helping software developers fix security flaws - this is the heart of this position at Wawa.

3. Significant knowledge of application security concepts and technologies such as: SAST, DAST, SCA, IaC, cryptography, authn/authz, API security, etc.

4. Prior experience reading and writing software - specifically, advanced experience with Java programming. Preferred basic knowledge of Golang, React, and React Native programming. We’re expecting the candidate to have several years as a successful software engineer at a reputable enterprise, who have been through this as a developer and a security person.

5. Advanced knowledge of containers and container security, specifically improving the security of containers. What Wawa is looking for is a candidate with good insight into what is inherently secure about containers, and where the gaps may be.

6. Experience with Software Composition Analysis (SCA) - It's important the candidate have some exposure to and understanding of SCA. Modern development leverages a lot of open-source software. This open-source software can accumulate known vulnerabilities over time. Wawa is looking for a candidate with some experience running the tools and experience working with developers and management to get things updated

7. Experience with software development tool chains - Wawa uses Git, so nice to have would be prior experience using Git in a modern environment, but similar applicable experience is just as good.

8. Experience creating and/or delivering training and education around security for developers (i.e. helping drive Wawa’s Security Champions Program with autonomy). looking for folks who can speak on AppSec topics to developers, the managers, to peers, and to general Wawa associates.

Job Summary: The Application Security Engineer is responsible for operating, supporting, maintaining, and improving the application security program by ensuring that security is built into all internally developed applications. This role executes all day-to-day operations, maintenance, functions, and capabilities relating to application security. You will build and operate application security tooling, automation, and engage with developers and product owners to solve application security problems. The role serves as a subject matter expert in the areas of secure software development at all stages of the SDLC and general information security best practices across all technology domains. The specialist is responsible for operating and improving Wawa’s application security processes to secure and maintain Wawa’s technology. As a secondary duty, this role will support incident response processes and partner with the Information Security Architecture and Information Security Engineering Team Leads to support overall security engineering processes.

Principal Duties:

Operate and Support the Application Security Program

1. Research, document, and educate on security topics to both technical and non-technical audiences.

2. Create and deliver security presentations to technical and non-technical internal audiences.

3. Research, design and create security unit tests that are shared with development.

4. Identify gaps and inefficiencies in the Application Security Program on a continual basis, propose solutions, implement solutions.

5. Contribute significantly to the direction of internal security-focused programs.

6. Lead regular meetings of internal security-focused programs.

7. Build security best practices into the software development lifecycle by way of engaging with developers, creating processes, and implementing technology. You will work closely with developers and product owners to secure applications at all stages.

8. Develop, maintain, and iterate on secure coding practices, policies, standards, and procedures.

9. Test applications against security threats and vulnerabilities.

10. Operate and support application security vulnerability management, partnering with Technology Security Risk and Compliance.

11. Research, identify and communicate current and emerging application security threats and solutions.

12. Create solutions that balance business requirements with information and cyber security requirements.

13. Identify security design gaps in existing and proposed applications and recommend changes or enhancements.

14. Participate in and support application security reviews, penetration tests, and threat modeling.

15. Work with the Technology Security Risk and Compliance, Enterprise Architecture, and other Technology teams to ensure that information security requirements are built into applications.

Provide Strategic Support

1. Assist in the development of metrics and reporting framework to measure the effectiveness of the program.

2. Partner with the Technology Security Risk and Compliance team to support the development and maintenance of Wawa’s technology security policies and standards and ensure their application to technology architectures.

3. Assist Technology Security Risk and Compliance with ensuring the ongoing compliance with both regulatory obligations and internally developed policies and standards.

Provide support to Technology Security Incident Response team during cyber incidents.

Serve as Security Liaison

1. Maintain internal networks among information security, information technology, and development teams to ensure support and alignment on initiatives. Create internal network across IT functions.

2. Maintain external networks consisting of industry peers, ecosystem partners, vendors, and other relevant parties to address common trends, findings, and cybersecurity risks.

3. Act as technical consultant for internal business teams and the IT department to plan, implement, and support new and existing software. Serve as an expert in your technical field of knowledge.

4. Support audit and assessment process for IT including annual PCI audit, IT general controls review, and any other audits or assessments of security and general IT controls.

5. Provide application security expertise and guidance on IT and business-related projects as required by the business. Participate in IT and security related projects.

6. Work effectively with business units to facilitate applications security engineering requirements and advocate application security best practices.

Essential Skills:

1. Ability to maintain and exude a positive attitude by committing to new ideas, being enthusiastic about work, and being helpful to, and thoughtful and considerate of, others across the organization.

2. Proven experience securing custom software.

3. Ability to work well individually and in a team environment.

4. Ability to influence and motivate information technology and business teams to achieve tactical and strategic information security goals.

5. Ability to learn on the job.

6. Ability to track task progress effectively.

7. Experience working with teams of developers and product owners.

8. Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate application security and risk-related concepts to diverse audiences.

9. Poise and ability to act calmly and competently in high-pressure, high-stress situations.

10. Proven track record and experience in developing application security engineering concepts and designs.

11. Must be a critical thinker, with strong problem-solving skills.

12. Ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.

13. Ability to engage in large internal security technology projects and security remediation projects with significant dependencies on external IT teams.

14. Ability to understand large, complex technology implementations spanning hundreds of physical and virtual environments.

15. High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity.

16. High degree of initiative, dependability, and ability to work with little supervision while being resilient to change.

17. Ability to be on-call 24x7x365 rotation for information security incidents.

Basic Requirements:

1. Minimum of 5 years of experience in a complex technology environment, working in the application security engineering field. You have a proven track record for securing software.

2. Advanced knowledge of containers and container security.

3. Solid knowledge of AWS and AWS security.

4. Advanced knowledge of Java programming.

5. Basic knowledge of Golang programming.

6. Basic knowledge of React and React Native programming.

7. Advanced experience with reading and writing enterprise software.

8. Advanced experience preventing and remediating software security flaws in enterprise software.

9. Up-to-date knowledge of common security weaknesses and flaws, and how to prevent and remediate them.

10. Advanced knowledge of OWASP guidance.

11. Solid knowledge of web-related protocols (TCP/IP, HTTP, HTTPS, REST, etc.).

12. Understanding of relevant legal and regulatory requirements, such as Payment Card Industry Data Security Standard.

13. Degree in computer science preferred, or equivalent professional experience.

14. Professional security management certification is preferred, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), GIAC Defensible Security Certification (GDSA), Certified Secure Software Lifecycle Professional (CSSLP), Certified Ethical Hacker (CEH), etc.

15. Solid knowledge of common information security management frameworks, such as ISO/IEC 27001, Critical Security Controls, and NIST 800-53 and Cybersecurity Framework.

16. Significant knowledge of application security concepts and technologies such as: SAST, DAST, SCA, IaC, cryptography, authn/authz, API security, etc.

17. Strong understanding of cloud, application security, and software engineering principles.

18. Experience with scripting automation (Python, PowerShell, Unix shell, JavaScript, TypeScript etc.).

19. Proven experience and strong understanding of the DevSecOps and SAFE Agile working methodologies.

Why work at Wawa/Who are they?

Wawa is a $13B American chain of PA-based convenience stores and gas stations with 1,000+ locations across the east coast. Wawa is a privately held, family-owned company with 200+ years in business. The true heart and soul of Wawa's business has always been their people, which is why their share ownership with their associates through their Employee Stock Ownership Plan.

As of July 2024 Wawa has 1,081 stores across 464 cities in the US, with plans to expand Midwest and double their footprint to 2,000 locations by 2030. New market and existing market expansion will continue to be Wawa's top priority over the next 5 years, with an added focus on Travel Centers. For the latest updates on Wawa's expansion forecast click here!

Wawa New Market & Existing Market Expansion Highlights --

• Wawa has over 1,000 stores across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, and Florida, as well as Washington, D.C.

• Over the last year, Wawa has announced plans to expand into Ohio, Indiana, Kentucky, Alabama, Georgia, North Carolina, Tennessee, and the Florida Panhandle, opening new locations by 2025. As of June 2024, they have already broke ground on their first stores in three Midwestern states.

• North Carolina: Opening 80 stores in the eastern region, with the first eight opening in 2024

• Kentucky: Building around 40 stores, with construction starting in mid-2024

• Wawa will invest approximately $6.5 million on each store. Once open, each location will employ, on average, 35 associates, with Wawa expecting to create more than 1,400 new jobs as a result of its expansion, according to the company.

• Travel Centers - Wawa is opening its first travel center in Hope Mills, North Carolina in the second quarter of 2025. This Travel Center and all those that follow will offer expanded restrooms, more parking for RVs and other large vehicles, and in-store seating. For the professional driver, the travel center will have high-speed diesel fuel, a Certified Automated Truck (CAT) weigh station, free tractor trailer parking, and merchandise.

Wawa CEO Chris Gheysens said that this expansion will include “traditional” neighborhood stores and “non-traditional” rest-stop style formats in both existing and new markets. Some of these new locations will include drive-thrus, something the chain only started testing during the pandemic. Wawa opened its first stand-alone drive-thru in Morrisville, Bucks County early last year.

While widely known for their coffee and hoagies, Wawa is a truly a Technology Company. As of 2021, Wawa was actually the largest fuel retailer in the country to have end to end encryption for their gas pumps. With over 10,000 gas pumps and cash registers and 40,000+ store associates, each store operates like a mini data center powered by technology to make their store associates jobs more efficient, while also providing the best possible customer experience. About 5 years ago, Wawa began their Digital Transformation, which today is everywhere for them. They are trying out all of the newest technologies in the industry, making constant improvements to their mobile application, rewards program, and in-store customer facing technology. "We believe we have a one-of-a-kind of opportunity to enhance our relationship with people and back it up with technology to make interactions more seamless and robust." -John Collier, Wawa CIO.

Wawa's corporate headquarters' campus is newly renovated with state-of-the-art glass buildings in the beautiful suburbs of Media, PA. At every corner you will find a store quality full service coffee station and fully stocked Cold Beverage Cooler that has all of your Wawa favorites. They have also build out a state-of-the-art Security Operations Center down the street from the main campus attached to Wawa University. The architecture was fully designed by the CISO with collaboration and visibility into all the security teams front of mind.

Skills

application security, java programming, software engineering, SAST, DAST, API security

Top Skills Details

application security,java programming,software engineering,SAST,DAST,API security

Additional Skills & Qualifications

N/A

Experience Level

Expert Level

Pay and Benefits

The pay range for this position is $140000.00 - $145000.00/yr.

As a full-time Wawa employee, all are eligible for their Employee Stock Ownership Plan (ESOP), tuition reimbursement program, competitive guaranteed bonuses, and what they're perhaps known most for - their incredible benefits. Wawa also gives their employees in need of child/adult care unlimited Care.com memberships and up to 10 days of coverage for child and adult backup care!

Workplace Type

This is a hybrid position in Media,PA.

Application Deadline

This position is anticipated to close on Jun 6, 2025.

About TEKsystems and TEKsystems Global Services

We’re a leading provider of business and technology services. We accelerate business transformation for our customers. Our expertise in strategy, design, execution and operations unlocks business value through a range of solutions. We’re a team of 80,000 strong, working with over 6,000 customers, including 80% of the Fortune 500 across North America, Europe and Asia, who partner with us for our scale, full-stack capabilities and speed. We’re strategic thinkers, hands-on collaborators, helping customers capitalize on change and master the momentum of technology. We’re building tomorrow by delivering business outcomes and making positive impacts in our global communities. TEKsystems and TEKsystems Global Services are Allegis Group companies. Learn more at TEKsystems.com.

The company is an equal opportunity employer and will consider all applications without regard to race, sex, age, color, religion, national origin, veteran status, disability, sexual orientation, gender identity, genetic information or any characteristic protected by law.