• Perform security reviews of architecture, application design, and source code
• Performs remediation testing and reporting through the application of penetration techniques in a fast-paced, highly technical environment
• Develops scripts, integration code to ensure the DevSecOps tools work together and provide value to development teams
• Analyzes application (e.g. Mobile, Web, backend, etc) security tool scan results and advises Development teams to strategically resolve identified issues
• Performs manual and static and dynamic application security testing with automated tools and manual techniques
• Identifies, develops, and documents in detail security issues and recommendations.
• Coordinates with other functional groups involved in Information Security, Risk, Security Architecture and Software Development teams.
• Conducts threat analysis and threat modeling, as well as creation of misuse cases and definition of threat actors for systems, in manner to suite agile way of application development
• Assists with Proof of Concept (PoC), technical evaluation, procuring, managing, and configuring Application Security tools in various environments
• Performs research of emerging technologies and design frameworks and capabilities required to guide development teams of new technologies adopted by the company
• Creates or maintains necessary DevSecOps processes and documentation
• Provides ad hoc reports as directed by leadership.
• Leads security improvements projects that include departments outside information security.
• Works, as necessary, alongside the company’s Security Operation Center (SOC) staff to build new monitoring capabilities based on threats and Red Team / Pentesting findings
• Maintains confidentiality on all sensitive security matters. |
Knowledge, Skills & Abilities
• Extensive experience in working under at least 1 DevSecOps area: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Security (CSec), Software Composition Analysis (SCA)
• Familiar with vulnerability assessments processes, penetration testing techniques and audit procedures
• Well versed in web, mobile and native application exploitation (Buffer Overflows, SQL injection, cross-site scripting, click-jacking, etc.)
• Ability to work at a senior level when executing and improving work processes to ensure achievement of business goals
• Experience in working at least one cloud service provider (AWS, Azure, GCP, etc.). Azure experience is a big plus.
• Experience with information security control practices and frameworks is strongly preferred.
• Experience in multiple development languages would be advantageous
• Extensive understanding of cryptographic concepts and applied cryptography
• Proficiency in one or more scripting language (Perl, Python, Shell Scripting etc.)
• Extensive knowledge in data security and privacy related regulations relevant to Business Units (BUs)
• Excellent written and verbal communication skills (in English)
• Excellent applied critical thinking and troubleshooting skills.
• Requires comprehensive knowledge and mastery in assigned areas applying skills and competencies in challenging and complex situations.
• Ability to work independently and in a team environment.
• Experience leading projects and team activities.
Education and Experience
• Bachelor’s degree or equivalent work experience.
• 3-5 years of increasing responsibility in Information Technology, Information Security or Compliance required.
• CEH/OSCP/CISSP Preferred.
• Additional relevant industry certification(s) preferred. |