Security Engineer - Vulnerability Management
About the Security & Capability Team
Our team is responsible for providing and maintaining tools used by Tesco in order to monitor and secure our systems, while also helping our colleagues globally.
We maintain global hybrid instances of our chosen tools for SIEM, Application Performance Monitoring, Log Monitoring, Backlog Management, Identity Access Management, Service Desk, self-help portals for colleagues and incident communications. In addition to the challenges delivering this capability brings, we're also the team responsible for the security operations centre and our security architecture, working across Tesco globally to secure our systems and data! Our Technology Risk & Compliance team works tirelessly to further develop a risk aware culture and drive audit and regulatory improvements across the technology team in all Tesco countries.
We aim to provide colleagues with a great experience by providing world class tooling, processes and advice. We believe in solutions that are either self-service or invisible to the end user - that's not always easy to achieve, but it's what we strive for.
Our Technology department is now seeking a talented Security Engineer to join the team. Security Engineers work with broad knowledge of security engineering as well as a deeper knowledge in one or more specific areas. You are responsible for delivering quality advice and guidance to Technology teams in order to make Tesco systems secure. This could be through threat modelling, code review, design review, etc. You strive to educate colleagues throughout Technology so they are empowered to make their systems more secure.
Key people and teams I work within and outside of Tesco
- Product Managers
- Software Engineers
- System Engineers
- Technical Programme Managers
- Colleagues and business stakeholders across Tesco
- Suppliers and 3rd parties
- Represent the Technology Security team and assist other engineering teams in adhering to secure design principles.
- Help teams deliver secure solutions using my team and security skills and also displaying a flexible agile approach by embracing emerging technologies, all working together in a robust technical ecosystem.
- Work closely and collaboratively with engineering and product teams
- Be a problem solver using past engineering experience to create and deliver innovative solutions
- Provide hands on direction during the design and development of applications utilising a threat-based approach to support the business strategy.
- Collaborate closely with colleagues within the wider global Technology Security organisation and technology departments as well as the business to establish effective, productive relationships
- Execute threat modeling activities during agile iterations.
- Am involved in and may lead incidents which occur on our systems with regards to technology security.
- Provide targeted application security requirements based on design, threats, industry best practices, and Tesco specific policy.
- Influence delivery teams in the prioritisation of security activities and issue remediation.
- Perform manual code reviews, open source software evaluations, and tests as needed.
- Drive adoption of new tools and techniques being able to understand their value and impact.
- Keep my technical skills up to date and keep track of new technologies, understanding how they might benefit the Technology team and wider Tesco.
- Share knowledge with the wider engineering community.
- Champion continuous improvement within the department.
Skills relevant for the job
We're looking for passionate individuals with experience in:
- Web Application Scanners (WAS) e.g. Qualys /Nessus (Tennable.io), netsparker, etc
- Nmap, Kali linux, metasploit
- Ideally an ability to write small tools in Python, Ruby, Go, Perl, PHP etc
One or more of the following certifications could prove advantageous for the role: Security+, CEH, SANS GIAC, SSCP, CISSP, CSSLP, CISA, CISM.
Experience relevant for this job
Previous experience working in a DevOps environment and building teams deliver secure code in an automated way. Additional experience includes:
- Strong troubleshooting skills.
Experience of pen testing or identifying vulnerabilities.
Managing security vulnerabilities of a system, OS, software, WAS, configurations, Cloud (AWS).
Ability to represent data to ensure that the right vulnerabilities are prioritised.
Capabilities to reproduce issues and work closely with the development / engineering teams to help them remediate.
Technical hands on exposure to the various security products within an Enterprise environment (e.g. SAST).