APPSEC ENGINEER

UKG is seeking an Application Security (AppSec) Engineer to work in our Global Security team. The UKG Global Security Research and Architecture (GSRA), application security team, is responsible for both finding bugs and designing mitigations for broad classes of bugs. We use and work on state of the art tools, maintain the infrastructure that supports our efforts, and empower Product Development to move to move quickly without compromising on safety. Because of the nature of USG's product, nearly every system we operate needs to interact with sensitive financial and personal data, making the security team an extremely dynamic environment to join.

We are looking for someone with a strong application security engineering and development background. The ideal candidate can discuss abstract concepts or lead meetings but not be afraid to deep dive in technical details (From whiteboard to JAVA code, from Microsoft Word to the linux console). If you can navigate sequence diagrams, use case documentation, and read source code always with security in mind LET'S TALK!!

Here at UKG, Our Purpose Is People. UKG combines the strength and innovation of Ultimate Software and Kronos, uniting two award-winning, employee-centered cultures. Our employees are an extraordinary group of talented, energetic, and innovative people who care about more than just work. We strive to create a culture of belonging and an employee experience that empowers our people. UKG has more than 13,000 employees around the globe and is known for its inclusive workplace culture. Ready to be inspired? Learn more at www.ukg.com/careers

Primary/Essential Duties and Key Responsibilities:

• Work with our code
• Develop techniques to ensure development teams find flaws before they are introduced into production
• Be a security subject matter expert and respond to any security development question
• Work with development teams to design solutions that are inherently secure
• Be a champion for simple security models
• Correctly balance security risk and product advancement
• Lead software security initiatives
• Lead or participate in threat modeling discussions
• Perform code deep dives to uncover security vulnerabilities or design
• Document findings and architectural issues for development and other security teams consumption
• Evaluate the security posture of existing applications
• Perform proactive research to detect new attack vectors and pentest internal and external apps
• Software development experience in a production environment
• A deep understanding of the web application architecture
• A knack for finding flaws in software and can efficiently communicate how to fix them
• Strong communication skills and is accustomed to working closely with a product team
• Doesn't always default to industry norms when solving a problem
• An ability to think like an attacker to develop threat models
• Has designed and implemented mitigations for common classes of bugs

Required Qualifications:

• Authentication (Identity management, MFA/2FA)
• Applied Cryptography (PKI, Appropriate usage of Cryptographic Primitives, Digital Signatures, HASHing, HMACs)
• Authorization (claims, RBAC, fine grained, coarse grained, XACML, OAUTH, SAML)
• Web Services Security (WS-Security, Oauth, JWT)
• Static Source Code Review Tools (e.g. Fortify, Appscan Source, Contrast, etc).
• Application Service Hardening (CIS, NSA/DOD STIGs)
• Coding experience in one or more general languages
• Mobile App development experience a plus
• 10 years of relevant work experience
• Hard Core Development Skills
• Detail-Oriented

Interpersonal Skills:

• Self-Lead and Exceptional communication skills with diverse audiences - Strong critical thinking and analytical skills
• Team working, including the ability to drive projects and initiatives in multiple departments
• Demonstrated ability to identify risks associated with business processes, operations, information security programs and technology projects
• The ability to be the enterprise security subject matter expert who can explain technical topics to those without a technical background

Education/Certification/License:

• Certified Security Software Lifecycle Professional (CSSLP)
• Certified Information Systems Security Professional (CISSP)
• BA or BS in information security, engineering, computer science, or related areas. A Master's degree in an IT field is a plus, and a Master's in cybersecurity is an even bigger plus.

Physical Requirements:

• No unique physical requirements

Travel Requirements:

• 0-5%

This job description has been written to provide an accurate reflection of the current job and to include the general nature of work performed. It is not designed to contain a comprehensive detailed inventory of all duties, responsibilities, and qualifications required of the employees assigned to the job. Management reserves the right to revise the job or require that other or different tasks be performed when circumstances change.

Ultimate Software will reasonably accommodate employees with disabilities as defined by the Rehabilitation Act of 1973, the Americans with Disabilities Act (ADA) and other appropriate statutes. If you are an applicant and need a reasonable accommodation when applying for job opportunities within the Company or request a reasonable accommodation to utilize the Company's online employment application, please contact [email protected].

It has come to our attention that some people have been contacted online by persons impersonating job recruiters for Ultimate Software. These fraudulent recruiters have used Gmail accounts to contact, and have requested personal information, such as depositing a check to purchase work-related supplies. These are not legitimate recruiters or job offers, and do not represent Ultimate Software. To safely apply for and view open positions at Ultimate Software, please click Apply" and follow the instructions. Note that our recruiter emails always come from an official ultimatesoftware.com email address.

If you suspect you have been the victim of this or a related fraud, immediately contact your financial institution, and then file a complaint with the FBI's Internet Crime Complaint Center at www.ic3.gov. If you shared other personal or sensitive information, you may need to take additional actions relative to what was shared. Your local law enforcement department may also be able to assist. For any general security related questions regarding Ultimate, feel free to email [email protected].