Application Security Specialist

Application Security Specialist

Key Accountabilities / Responsibilities:
 In conjunction with our security architects, has product ownership for
Kingfisher’s Application Security tooling.
 Responsible for operational security oversight for Kingfishers web, mobile
and API application security testing and posture.
 Ensuring Kingfisher’s scheduled PCI website scanning is completed and any
findings are logged, triaged and monitored to closure.
 Responsible for driving Kingfisher’s Bug bounty programme, vendor
management and researcher engagement.
 Responsible for ensuring that Kingfisher extracts maximum value from
investments in Application security tooling and services.
 Coordination of Penetration Testing activities and managing AppSec vendor
relationship(s).
 As the lead SME for Application Security in the team, providing advice,
leadership and direction to the global Kingfisher community on all aspects of
Application Security including Web Application Firewall configuration and
tuning, BOT mitigation techniques & approaches.
 Partnering with application owners to address issues highlighted by testing.
 Reviewing and improving current DAST and SAST scope, coverage, tooling
and processes.
 Responsible for providing measurable and actionable AppSec MI and KPI’s.
 Working with stakeholder groups to provide input into secure by design
principles and practices.
 Supporting/measuring/improving developer security training.
 Driving technical, process or organisational improvements to Kingfisher’s
Application Security capability. i.e., scopes, prioritises and leads
improvement initiatives for AppSec tools and services. Leading on regular
incremental improvements to Kingfisher’s AppSec capabilities and results.
 Proactively identifying new and emerging threats and vulnerabilities relative
to Kingfisher’s application portfolio, and for coordinating response actions
relative to the urgency of the threat.

Provide assurance over static and dynamic application security testing.
 Manage and triage findings from automated and manual assessments.
 Track remediation efforts and verify fixes.
Tooling, Automation & Reporting:
 Deploy and manage application security tools.
 Advocate for automation of security testing in CI/CD pipelines.
 Maintain dashboards and reporting for application security metrics.
Secure Software Development / Awareness:
 Work with engineering teams to integrate security into the SDLC.
 Provide guidance on secure coding practices.
 Collaborate with developers to remediate vulnerabilities.
 Promote a culture of security within software engineering teams.
Threat Modelling & Risk Assessment:
 Support threat modelling sessions for new and existing applications.
 Assess application architectures for security risks.
 Recommend design changes to mitigate identified threats.
Compliance & Governance:
 Ensure applications meet internal and external compliance requirements
(e.g., OWASP Top 10, GDPR, PCI-DSS).
 Support audits and provide documentation for application security controls.
Continuous Improvement:
 Stay current with emerging threats, vulnerabilities, and technologies.
 Leverage all available capabilities from tooling.
 Recommend and implement improvements to Application security
architecture.

Required Skills & Experience:
 Practical experience in application security, software development, or a related
cybersecurity role.
 Proven track record of identifying, triaging, and remediating application vulnerabilities
in complex technology environments.
 Hands-on experience with secure coding practices. Proficient with SAST, DAST,
IAST or RASP tooling.
 Familiarity with pen test tooling and techniques, and confident in coding and scripting
techniques and languages.
 Experience working in DevSecOps environments and integrating security into CI/CD
pipelines.
 Familiarity with agile development methodologies and working closely with
development teams.
 Experience in mitigating common application attack vectors such as credential
stuffing, BOT related attacks, and OWASP top 10.
 Experience with threat modelling (e.g. STRIDE, PASTA, MAESTRO, MITRE Atlas).
 Experience with API Security - securing RESTful APIs, OAuth2, JWT, and API
gateways.
 Relevant knowledge of cloud native security and API security attacks.
 Excellent analytical, problem-solving, and communication skills.