HCL AppScan Engineer

Description

Job Summary: We are seeking a technical subject matter expert for an Application Security Testing platform that integrates SAST, DAST, IAST, and SCA across the software lifecycle to reduce the attack surface. Key Highlights: 1. Integrate security into the SDLC (DevSecOps and CI/CD) 2. Experience with HCL AppScan and security methodologies 3. Management of findings and continuous improvement in application security We seek the person who will become the technical subject matter expert for the **Application Security Testing** platform—capable of integrating SAST, DAST, IAST, and SCA throughout the entire software lifecycle and making decisions that reduce the attack surface before it becomes an incident. **What will be your challenges?** **DevSecOps and CI/CD — where shift-left is defined** * Integrate HCL AppScan into Jenkins, Azure DevOps, GitLab CI, and GitHub Actions pipelines, bringing security into early SDLC stages. * Define quality gates that block or warn releases containing unremediated critical vulnerabilities. * Develop automations using the AppScan REST API and CLI for scan execution, result parsing, and finding management. * Drive adoption of the AppScan Source IDE Plugin and pre-commit hooks in development team workflows. **In-depth Application Security Testing** * Configure and execute SAST on multi-language repositories (Java, .NET, Python, JavaScript, PHP, Go). * Implement and manage DAST on web applications and REST/SOAP APIs in QA and pre-production environments. * Deploy IAST sensors for runtime vulnerability detection. * Execute SCA to identify risk in open-source libraries and dependencies (CVE, CVSS). **Governance, finding management, and continuous improvement** * Perform triage and prioritize findings, technically distinguishing false positives from real vulnerabilities. * Advise development teams on remediation aligned with OWASP Top 10, SANS CWE Top 25, and compliance frameworks (ASVS, NIST SP 800-53, ISO 27001, PCI-DSS). * Produce executive security posture reports and AppSec KPIs for the CISO and risk departments. * Administer and maintain the HCL AppScan platform (ASE, Standard, Source, ASoC): users, scan policies, upgrades, and service health. **Must-Have Qualifications:** ========================= * 4+ years of experience in application security (AppSec), including at least 2 years operating HCL AppScan or IBM AppScan. * Proven experience implementing DevSecOps pipelines with integration of SAST/DAST/IAST/SCA tools. * In-depth knowledge of OWASP Top 10, SANS CWE Top 25, and application/web/API vulnerability assessment methodologies. * Experience working with agile development teams (Scrum/Kanban) in CI/CD environments. * Proficiency in at least one programming or scripting language: Java, Python, JavaScript, or .NET. **Nice-to-Have Qualifications:** * HCL AppScan Certified Professional certification (or equivalent IBM), GWAPT, or CSSLP. * OSCP, eWPT/eWPTX, AWS/Azure Security Specialty, CDP, or Security+/PenTest+. * Experience in container and orchestration security (Docker, Kubernetes). * Degree in Systems Engineering, Computer Science, Cybersecurity, or related field. **Work Mode: HYBRID (CABA - Puerto Madero)