Job Description
- Application Security Testing – The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
- Vulnerability Management – The cataloging, reviewing for false positives and mitigations, threat and risk assessments, and lifecycle management through remediation according to SLAs of application vulnerabilities.
- Release Management – Ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
- CI/CD pipeline – Develop scripts to integrate Security tools into the Jenkins pipeline and assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.
- Degree in Cyber Security, Engineering, Mathematics, Computer Science, or a combination of education and relevant experience.
- Training or experience in Web App or Network pentesting
- Training in cloud (ex., AWS Cloud Practitioner or Certified Cloud Security Professional)
- 5+ years experience working with Secure DevOps or a development pipeline and release management
- General knowledge of scripting languages (Python, etc.)
- Experience performing Application Security manual penetration tests and familiarity with pentesting tools (e.g., Burp Suite, Kali Linux, Postman)
- Knowledge of security architecture design and principles including confidentiality, integrity, and availability.
- Experience with using or reviewing output of automated code scanning tools and development pipeline tools
- Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
- Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
- Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, NS Active Directory and LDAP)
- General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
- Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
- Cloud security/automation certifications a plus (i.e. GCSA, AWS Cloud Practitioner or beyond)
- Penetration testing certifications a plus (i.e. OSCP, GWAPT, Burp Suite Certified Practitioner)