- Work independently or as a part of the team or as a project lead to deliver following: Development of application security program, policies, and processes Conduct security assessments and reviews Provide advisory services to development teams to build secure applications Implementation of scanning technologies (e.g. IBM Appscan, HP Fortify, Qualys etc.)
- Determine the risk profile of the applications by verifying application controls vs information security policy.
- Perform analysis of all scans, both standalone and enterprise, and prepare a written report of analysis.
- Connect and leverage other resources in information security to ensure accurate assessment of security controls as needed.
- Assist product owners and technology staff with analysis and interpretation of information system vulnerabilities identified and offer necessary consulting help to remediate vulnerabilities
- Oversee and manage the documentation of flaws into risk registry and track remediation activities.
- Secure SDLC Advisory and Implementation: Conduct analysis of security controls considered to be implemented through development lifecycle, gap analysis (against standards and benchmarks), recommend security technology / process controls and project manage implementation.
- Assist in the generation of metrics to drive the continuous improvement program and present current state of security status to management team.
- Leverage, keep up-to-date on latest trends and develop application security expertise that is required to successfully assess application controls.
- Support internal practice development initiatives, including: improving tools, templates and techniques used to deliver engagements, conceptualize new services and solutions, development of technical papers and marketing collaterals.
- Project management of one or more projects to ensure quality deliverables are produced within timelines, scope and cost. Identify, report and manage project risk, including: escalations, scope creeps, resource issues, customer delays, etc.
- Support firm’s presales activities, such as attending presales calls, response to RFPs, solution engineering & presentations, effort estimation, staffing etc.
- Working knowledge of application security (OWASP, SANS, NIST, CWE, CVSS, OSSTMM etc.) and programming patterns that lead to them, as well as remediation techniques
- Experience with software security testing (static and dynamic analysis)
- Familiarity with high level programming languages (i.e. Java, C#, Python, etc.)
- Familiar with development lifecycles like waterfall, agile etc.
- Experience in technical security architecture assessment/advisory, including at application, network, and system levels.
- Understanding UNIX and/or Windows OS, networking technologies and tools and CIS benchmarks
- Knowledge of using one or more scanning tools and utilities like IBM Appscan, HP WebInspect, HP fortify, Acunetix, Nessus, Nipper, Qualys, Rapid7 Checkmarx, Burp Professional etc.
- Demonstrable knowledge on Documentation and business reporting.
- Ability to work independently with minimal direction; self-starter/self-motivated
- Strong interpersonal and communication skills; ability to work in a team environment
- Communicates effectively with clients and seeks to understand and anticipate their needs.
- Continuously finds new solutions to problems and actively shares knowledge with the team.
Learn more about our Risk Advisory Services.