Information Technology: systems development, business analysis, architecture, project management, data warehousing, infrastructure, maintenance and production
Job Title: Specialist, Application Security
The Application Security Specialist will be tasked with identifying vulnerabilities in applications developed either in-house or by externally and their supporting infrastructure while assisting the software engineers and IT teams in the remediation efforts as well as researching threats and attack vectors that impact web, enterprise and mobile applications
Penetration Testing and Vulnerability Assessment
- Perform penetration testing and vulnerability assessment on web, enterprise and mobile applications.
- Assist software engineering teams with the configuration, tuning and operation of SAST and DAST tools, and their integration into the development process.
- Help to validate and interpret SAST, DAST and penetration test findings, demonstrate identified vulnerabilities, assess risks, evaluate possible fixes, and verify successful remediation.
- Help to develop and collect metrics to measure the success of the application security program.
- Assist with the incident response procedures.
Policy and Security Awareness Training
- Contribute to the development/delivery of awareness training and general Information Security education.
- Assist in creating and training for software engineering team members on secure code development, and other security literacy topics.
Access Controls Review
Perform periodic reviews on rules and processes used for granting and revoking access to applications.
- Report the results of technical IT Security assessments with conclusions, recommendations for improvement, follow-up status to Manager – Information Security.
- Incident Response Management
- Assist in investigating all identified security breaches, or concentrated attempts at breaching security controls.
- Investigate reported breaches of security, potential abuses or intrusions or interference with the bank’s infrastructure and coordinate mitigation or responses as needed for the purpose of ensuring the bank’s sensitive data is kept secure
Research and Development
- Research threats and attack vectors that may impact applications and infrastructure. Stay up-to-date with current offensive and defensive tactics, techniques and procedures.
- Research and report on emerging cyber threats and coordinate proactive internal counter measures
Key performance measures
- Number and severity of vulnerabilities found in web applications.
- Number of resolved security vulnerabilities
- Number of security flashpoints identified
- Compliance level of country application security
- Number of awareness sessions held with software engineers
Number of security reports to senior management and the Board
IT Audit rating by Internal Audit, Routine Control, and external audit
Maintain a supportive, co-operative working relationship with software development engineers, business unit heads, Risk, Routine Control, and Internal Audit departments.
Problem solving, planning and decision making
- Required to draw on information security expertise to assess issues and problem areas, and advice on the best solution(s).
- Able to take the initiative within limits of authority.
- Required to follow laid-down policies and procedures at all times.
- Required to develop a strategic security plan, with supporting short-term plans for daily security activities and periodic assessments/reviews.
- Able to deal efficiently with work volumes while remaining focused on priorities.
- Ability to note, document and follow up on issues at all times.
Preferred Qualification and Experience
Experience in writing and testing web applications and web services in the following
- Should be familiar with variety of development and testing tools including Eclipse, GIT, GCC, JIRA, Subversion, Maven, HP/Fortify SCA, IBM AppScan
- A minimum of 2 years experience in Web Application development and a minimum of 1-year experience in Information security/technology risk reviews across enterprise operating systems, databases, applications and networks.
A degree in Computer Science, Management Information Systems or Computer Engineering
Relevant certifications include: Certified Ethical Hacking (CEH); Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager(CISM)
Candidates must be able to explain all vulnerabilities and weaknesses in the OWASP Top 10, WASC TCv2, CWE 25 to any audience to discuss effective defensive techniques.