Job Description

The organization’s Information Security and Compliance department is responsible for building, implementing, operating, and maintaining the technology controls associated with information security. In order to comply with various organizational policies and regulatory mandates related to Information Security/Privacy, the company’s Information Security and Compliance department is in the process of implementing a new Information Security Program and Risk Management framework based on various well-known information security standards and frameworks such as ISO/NIST, which includes requirements for a Secure Systems Development Lifecycle (S-SDLC). In order to effectively imbed an S-SDLC into Satschel’s development processes, the Information Security and Compliance department requires a dedicated Application Security Risk Analyst to work hands-on with the development teams to develop, roll-out, and provide oversight for a comprehensive S-SDLC program, including secure coding guidelines, architectural design reviews, static code analysis, dynamic testing, and penetration testing.

Must-Have Skills

• Architecture – 8 years
• Web API – 8 years
• CI/CD – 7 years
• Application Security – 6 years
• .Net – 6 years
• J2EE – 6 years
• C++ – 5 years
• Python – 5 years

Key Responsibilities

• Work with various senior IT leaders and application development areas to develop and implement the S-SDLC Program according to the organization’s unique information security risk management, governance, risk, and compliance processes;
• Provides oversight/governance of the S-SDLC Program and communicates progress and issues to the CISO, Senior Business / IT Leadership and Application Development teams;
• Serves as a consultant to disseminate specialist application security knowledge to the development communities;
• Researches and evaluates solutions and recommends the most efficient and cost-effective solutions for ensuring that security is built-in to all phases of the S-SDLC;
• Research and assess the latest BlockChain security vulnerabilities and events
• Leads demonstrations of application security tools to business and application development teams;
• Responsible for integrating & managing feeds from application security tools, vulnerability scans & penetration testing tools into the organization’s GRC platform;
• Responsible for the implementation and maintenance of Static, Dynamic, Interactive, and API application security testing tools (such as Veracode, Checkmarx, Synopsys, and Netsparker), scanning policies, user provisioning and security strategy documents, and any other related documentation;
• Initiates and develops innovative concepts to solve complex challenges in the Code Analysis Tools environment with little or no precedent; creates new opportunities to enable the use of new solutions. Provides conceptual guidance to other senior and high-level technical experts;
• Engages Veracode, Checkmarx, Synopsys, and Netsparker, and/or other third-party suppliers of application security software on system defects, support issues;
• Lead and manage organization’s bug bounty program;
• Stay knowledgeable of current advances in all areas of information technology concerning vulnerabilities, security breaches, or malicious attacks; Identify vulnerabilities or weaknesses in systems;
• Develop an externally focused view of the evolving threats facing the organization;
• Report to management on IT system vulnerability and protection against malware and hackers;
• Examine systems and procedures to identify potential adverse events, including but not limited to hardware and software crashes, physical disasters, malicious intruders, malware, denial of service attacks, and employee misconduct;
• Evaluate security policy, processes, and procedures for completeness;
• Assist in identifying breaches in the organization’s security or tracking the source of an unauthorized intrusion;
• Monitor and advise on information security issues related to the systems to ensure the security controls are appropriate and operating as intended; Ensure that controls are adequate to protect sensitive information systems;
• Develop and maintain security operating procedures and associated documentation;
• Identify inefficiencies and make suggestions for process improvements;
• Develop and implement the process for regular user recertification;
• Validate the removal process for application access for terminated employees;
• Perform semi-annual user access and entitlement reviews across the organization;
• Perform quarterly reviews and recertification of privileged accounts;
• Identify and document the various functions and processes within each application;
• Develop and maintain SOD matrices for each application used within the organization along with identification of toxic combinations;
• Identify any conflicting duties based on the SOD Matrix and toxic combinations and perform remediation;
• Develop roles and access profiles based on the SOD in collaboration with the business users;
• Identify and document a list of users and mapping to various functions and processes;
• Assist with internal/external audits and regulatory examinations (such as SOC, IAA (IT General Control Audits), DFS, etc.) as they relate to Identity Access Management and Application Security controls and remediation of issues discovered during the control testing’s;
• Track open audit issues to closure and reporting on status completion and progress;
• Review access control processes to identify vulnerabilities and the appropriate solutions to eliminate or minimize their potential effects;

Skills and Experience

• Minimum 7-8 years of experience in application architecture and design reviews
• Minimum 7-8 years of experience in application security assessment/testing experience (white box, black box, code review, and forensic testing)
• Knowledge of application security processes and standards including OWASP (ASVS etc.), CVSS rating, factors impacting risk rating, etc.
• Experience in threat modeling and application risk analysis
• Experience in application privacy impact analysis
• Experience in performing application decomposition and analyzing security issues
• Strong knowledge of designing, deploying, and maintaining security architecture in critical business applications
• Experience in performing evaluation and assessment of SDLC processes and security controls
• Experience in evaluating app sec processes to identify improvements and envision/develop automation within CI/CD pipelines
• Experience in developing Security testing scripts and procedures
• Hands-on experience with Static, Dynamic, Interactive, and API application security testing tools such as Veracode, IBM AppScan, Fortify, Web Inspect, Checkmarx, Synopsys, and Netsparker
• Experience in testing and assessing the security of mobile applications
• Experience with web services (API) architecture, security reviews, and testing.
• Experience in integrating application security tools and processes in CI/CD pipelines
• Coding experience with at least .NET, J2E, Python, C++, etc.
• Knowledge of cryptographic tools and security APIs
• Knowledge of microservice architecture
• Knowledge of BlockChain, Smart Contracts, DApps, etc.
• Solid understanding of networking concepts
• Solid understanding of operating system security concepts
• Solid understanding of Encryption, Certificate & Key Management Services (CM, KMS, HSM, etc.)
• Understanding of malware, emerging threats, attacks, and vulnerability management
• Experience assisting in the development and maintenance of tools, procedures, and documentation

Personal Requirements

• Required: Bachelor’s Degree from a four-year college or university in Engineering, Business Administration, Computer Science, Management Information Systems, Information Security.
• Certifications Required: CPT, CEH
• Certifications Optional: CISSP, AWS Certified Solutions Architect, AWS Certified Security Specialist, Google Cloud Architect, Google Cloud Security Engineer, CCSP (Certified Cloud Security Professional)