Key Responsibilities:
- Integrating security tools, standards, and processes into the product life cycle (PLC)
- Ensuring that developers and QA personnel are trained with the appropriate level of security knowledge to perform their daily activities
- Improving and supporting application security tool deployments including static analysis and runtime testing tools
- Improving and maintaining secure development standards
- Supporting the incident response and architecture review processes whenever application security expertise is needed
- Managing annual penetration testing services, including both expert consulting and managed service.
- Providing manual penetration testing and standards gap analysis services to internal business and technology partners
- Managing application framework and perimeter security improvement projects.
- Supporting Vendor Security activities to ensure 3rdparty software and development meets security standards
- Providing security requirements for testdriven design
- Producing metrics reporting the state of application security programs and performance of development teams against requirements
- Identify application security risks and requirements for new projects and system developments. Enforcing security policies and procedures concerning production infrastructure
- Lead security architecture reviews
- Integrate threat modeling practices into the product lifecycle
- Perform Security Architecture and Low Level Application Security Design review involving: Data Protection, Authentication and Authorizations, Web Application Security and Network Security
- Sign-off on application security prior to live implementation
- Work with the architecture and development teams to review code for security vulnerabilities and embed/improve security threat modelling and secure coding in the development lifecycle
- Ensuring that necessary controls and processes exist to appropriately correlate and assess security events
Essential
- In-depth knowledge of application security vulnerabilities, testing techniques, and the OWASP framework.
- In depth understanding of secure web application development, Java, Java development frameworks, PHP, web services and SOAP,API
- Experience writing and testing web applications and web services in the following programming languages: C/C++, Java, and JavaScript. The candidate should have familiarity with a variety of development and testing tools, including: Eclipse, GIT, GCC, JIRA, Subversion, Maven, ClearQuest/Case, Silk, FindBugs, HP/Fortify SCA, IBM AppScan, and HP WebInspect
- Experience in application technology security testing (white box, black box and code review)
- Experience of web application and Agile development methodologies
- Understanding and familiarity with common code review methods and standards
- Understanding of Apache web server and Unix server operating systems
- Understanding of HTTP and web programming
- Knowledge of standard SDLC practices
- Knowledge of common security requirements within ASP.NET application
Skills/ Abilities/ Knowledge
- Highly developed organizational skills and attention to detail
- Ability to handle multiple projects and priorities simultaneously with a high degree of professionalism and client service orientation
- Excellent interpersonal and leadership skills
- Proven communication skills, both verbal and written
- Able to communicate effectively with internal personnel and clients on all levels
Desirable
- Good at building relationships with key internal and external stakeholders.
- Good at providing advice on information security, helping both technical and non-technical stakeholders understand the threats and vulnerabilities, and the options for treatment.
- Experience of participating in IT or technology investigations and activities including first responder responsibilities
- Successful candidates will be security evangelists who can translate security concepts into language that is meaningful to many audiences, including business and technical leaders and individual contributors
- Candidates must be able to approach application security from the perspective of risk management and avoid purely academic thinking about software security
- Demonstrable ability to influence decisionmaking processes at all levels of a large organization will be critical to success
- Candidates must have strong leadership skills and have excellent negotiation skills to work with highly technical individuals
- Candidates must have excellent verbal and written communication skills, including experience speaking in public forums and writing/contributing to technical publications
- Candidates should be familiar with waterfall and agile development processes and have experience integrating secure development practices into both models.
- Candidates must be able to explain all vulnerabilities and weaknesses in the OWASP Top 10, WASC TCv2, and CWE 25 to any audience, and discuss effective defensive techniques
Sunday, February 28, 2021
Application Security Architect - Penetration Testing (8-13 yrs) (Cynosure Corporate Solutions)
