Security Job: Web Application Security Engineer

Security Job: Web Application Security Engineer

Job Type: Full-time salaried position
Job Locations: If you are open to any of the following areas we should talk:  Illinois, North Carolina, Nebraska, Pennsylvania, Indiana, and Connecticut
Compensation: $90,000 to $110,000 salary, maybe more
Telecommute: No
Education: BS strongly preferred, but not required.
Travel %: minimal
Relo Paid:  Possible assistance available on a case by case basis
Certifications Preferred: CISA, CISSP is conducting a search for Web Application Security Engineers. Our client, a Fortune 500 organization, has engaged us to identify, recruit and prescreen candidates that have a passion for web security. These are full time positions working on site for the organization. The client is not a consulting firm.

Our client really wants to see candidates that have at least 3-5 years of software / application development and /or web development skills in Java OR .NET environment and has moved over to the Security side for at least the last 2-3 years.

Having a software or Web Development background prior to Web Application Security is NOT a must have, but is a big plus for the positions.

The selected candidate(s) will be working on new web application security as well as legacy systems from time to time. Selected candidate(s) must be very knowledgeable of OWASP TOP 10.


  • Conducting web application security assessments on both new and existing web applications.
  • These assessments involve manual testing and analysis as well as the use of automated web application vulnerability scanning and testing tools to include but not limited to Fortify, IBM App Scan, HP Web Inspector, Hail Storm testing tools.
  • Utilizing company standard reporting format to prepare formal security assessment reports for each application, using our standard reporting format.
  • Participate and lead when necessary conference calls with internal business customers to review security assessment results.
  • Consult with these internal business customers on remediation options and the retesting of security vulnerabilities that have been fixed and republishing your report to indicate the results.
  • Participate and lead when necessary conference calls with potential internal business customers to review newly requested security assessments and estimate the amount of time required to complete the assessment.
  • Ability to assist in the deployment and/or support of web application firewalls.
  • Experience working with static code analysis tools
  • Ability to communicate complex security subjects in easy-to-understand terms.
  • Desire to stay current with emerging technologies and industry trends.
  • Solid understanding of OWASP along with the ability to apply the application those security concepts.
  • Thorough understanding of both TCP/IP and HTTP.
  • Ability to work in a fast paced, challenging and sometimes stressful environment while keeping a cool head.
  • Ability to look at the big picture and help in finding acceptable solutions and remedies.
  • Strong focus and ability to dealing with internal users and customers
  • Solid written and verbal communication skills.

For information on this or other Security related positions, please contact:

Wils Bell
President, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404 *

Security Job: Chief Software Security Architect

Security Job: Chief Software Security Architect

Job Type: Full-time
Job Location: New York or Pennsylvania
Compensation: Base – starts at $200,000K and will go up from there DOE —
Bonus Estimate: $75 -$100,000
Telecommute: No
Education: BS Degree Preferred, but client will consider total experience
Relo Paid: Yes
Other: GSSP Certification a plus is actively recruiting a senior level candidate for the position of Chief  “Software” Security Architect for a major New York client. You can choose to work in New York or work in their Pennsylvania location.  (FOR FULL DETAILS CONTACT US TODAY!)

This is a new and very key role. You will be responsible for all software / application security architecture for the corporation.  You must posses a technical background from the Software Security side. Any experience as a structure hacker would be a benefit.

You’ll also need a good understanding of network, host, and physical aspects of the security infrastructure. Any experience dealing with offshore systems development would be a plus but not required. You’ll need the same communication and interpersonal skills as a senior principal / partner of a large security and information protection agency.

Responsibilities will include
• Provide solutions and guidance in the form of design, development, and deployment on all aspects of software & application security to the development teams on a national and international basis.
• Implementation of:
o Software Security Services
o Security Architecture Analysis and Design Reviews
o Security Code review
o Recommendations of procedural and technological compensating controls
o Secure Coding best practices implementation and training
o Application Threat modeling and Mitigation Services.
• Strengthen the Risk Assessment process with pertinent technical criteria to better assess the risk ratings of client applications.
• Strengthen client Vulnerability Management process which includes bugs, patches, configuration management advice.
• Comprehensive and holistic level perspective required for implementing security methodologies and best practices across all lines of business of the organization; including Technology.
• Must apply structured thinking, methodology and disciplines to a complex environment of business and technical requirements.

• Core security, vulnerability scanning & pen testing tools
• Core security analysis
• Understanding of secure HTTP, application security, web security, SHH, SFTP, SSL and additionally application vulnerabilities.
• An understanding of application security over OS’s (Linux, Sun, Windows, Novell, etc.)
• Must have a minimum experience 10 years developing scalable, distributed applications with a thorough understanding of platforms like Enterprise Java, .NET with security aspects of Java, C#, C++ languages. 5 years in the Application Security space; including information (storage, transmission, etc.), application (design & development), deployment, run-time (access), operation/support.

To share your confidential resume please email a resume “directly” to: or contact:

Wils Bell
President, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404 *

“A Security Search Firm”
P Go Green – print only if necessary

Contact Information on Your Resume

I love getting resumes from Security Professionals, but…

I am very fortunate in that my security search firm receives many resumes  every week that are unsolicited.  Unfortunately, I /we can’t call everyone that sends a resume. There simply is not enough time.

We do however save 95% of all resumes sent  because the first place I go when I have a new search is our company database. The software we use is great since all we have to do is

save the resume file and the resume is parsed into the database right from the email.  All the information such as contact, skills, employers, etc. is pulled and entered to certain fields which I can then search upon.

Here is minor problem that we encounter many times a month.

Many people send resumes with incomplete contact information. Here are basic examples from last week:

John J. Smith


John Smith


John Smith
Atlanta, GA

Why is full contact important? It goes to what I mentioned earlier. We can’t call everyone that sends a resume today, but that doesn’t mean we’ll not try contacting you in a week, month, or year from now regarding a new opportunity that comes across our desks.  Knowing this fact means your resume can’t be entered until all the correct  contact data has been included. A new position/ search may happen at any time and full contact allows us to search by variables, including location. Many clients only want local based candidates or candidates within a certain mileage of their location. The more contact we have the better chance we can reach you quickly or at all.

Also, another good tip for you is don’t use your current employers email (yes some people do) because when you leave that employer your email becomes invalid. Simply keep a Gmail or Yahoo type for use with your resume and career development. I call people every day from 3-4 year old resumes.

Don’t get me wrong. We love getting all the resumes that are sent to us, but please include all your contact information, not just for today but for years from now.

John Smith
1000 Main Street
Orlando, FL 32805

Not to worry, we will reach out to you and ask for full contact, but it’s much quicker if you  included full contact on your resume to begin with.

Keep those resumes coming, but preferably with full contact information included.

As usual, thanks for visiting my blog.


Wils Bell
President, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Security Job: Application Security Architect

Application Security Architect

Job Type: Full-time
Job Location: State of Washington
Compensation: “Very Competitive Package” –You won’t be disappointed!!!
Telecommute: No
Education: BS & MS is strongly preferred, however experience may be considered in lieu of degree.
Travel %: none
Relo Paid:  Yes –excellent package!!!!
Other: is currently recruiting for a client in the state of Washington.  This is NOT an entry level position, but rather the successful candidate will need to have an in-depth and solid understanding of software / application security. Our client is looking for the best of the best and is open to paying for those excellent application security skills, within reason of course.
As an individual, you will need to be a good communicator since you will be working in a team environment with many different people and with software developers within the company.
If you truly love being part of the software development process to ensure that new and existing applications, website, etc, are build with the most cutting edge security functionality, then this position is for you!
Our client is a well funded organization with a solid and growing security department. Although a 4 year degree or MS is some cases would be preferred, client will look at candidates that have solid work experience to over-ride the degree. As a successful candidate you will need to have good references and be able to get through a standard criminal background check with no major problems. Minor blemishes may not be a problem and will be reviewed on a case by case basis.
Duties may include but not limited to:
• Review and evaluate new and exciting security products
• Assist in Security policy and procedure development
• You should have good understanding of Security Compliance issues
• Act a SME to other technical people and have the ability to train others
• As a SME you’ll need to be able to sell others on the security process
• Be responsible for risk assessments from outside vendors
What you need to be considered for this opportunity:
• Excellent and current experience within Application Security
• Solid software development skills in various software, i.e. C++, Java, C, etc.
• Knowledge of Networking, Network Security, Systems Security, Security Protocols, Scripting, Security Remedy, Authentication, Security Vulnerabilities, Threat Modeling.
As you have seen, this is a very general description on the position, but will give you a basic idea of what I am recruiting for with this client and others. If you currently are working as a Software / Application Security expert for your firm, I would like to talk with you in more detail on a completely confidential basis.
For information on this or other Security positions, please contact:
Wils Bell
President, Inc.
“A Security Search Firm”
POB 620298 * Oviedo, FL 32762
Desk: 407-365-2404

Why I Don’t Share Client Name

Why I Don’t Share the Name of Client on First Recruiting Call

When I am recruiting for an open Security Job that is not a retained search, I usually do not share the name of my client with a cold called candidate for several reason,  until we have talked in detail.

First, I interview many candidates daily, and unfortunately I must tell several that they are not a match for “this job”.  Perhaps future jobs, but not this one. It does not mean that are not a good security candidate, just not a good match for this job. Sometimes, they on the other hand, feel that they are a great fit and want to proceed with the interview process. When I explain that the client wants and expects me  to pre-screen heavily so as only to present dead on matches, they get upset.  I have had these people try to go directly to the client themselves or call other recruiters and ask them to present them. If the company name has not been discussed, it protects me.

Also, I have had some very good intentioned people that knew my client name simply mention  to a friend or co-worker that I called and discussed a great opportunity with them at XYZ company and the friend or co-worker simply goes directly to the company without thinking about me. They did not mean to cut me out, they just did not realize they should call me to present them. After all, I am dealing directly with the hiring authority and can make things happen.

Please be aware that I do share the client name as soon as we (you and I) determine that it is a good match and worth proceeding forward with the process.

Since this is how I earn a living for me and my family please don’t be insulted by the process and my guarding my client name until we agree it’s a match.


Happy Holidays,


Wils Bell – Security Recruiter

Bell (at), Inc.


Desk: 407-365-2404