Principal Accountabilities : - Lead by example and independently perform all functions and services of the GIS AppSec team.
- Conduct advanced web application, micro-services, API, cloud penetration tests of proprietary and 3rd party on-prem/cloud systems and applications.
- Perform targeted manual security reviews at key points in the software development life cycle.
- Perform peer reviews of assessment reports and provide constructive guidance to team members.
- Train others on tools and processes used in AppSec methodology.
-Provide technical guidance to team members and other stakeholders (e.g.
development teams, project teams, business stakeholders). - Provide input for strategic visioning / planning.
- Identify the need and develop new security standards and reference architectures.
- Identify metrics that can help measure performance, gaps in coverage, need for head count, trends in findings.
- Identify and document process improvements and influence team and management support and prioritize changes.
- Establish yourself as a recognized technical expert within the team.
- Have an interest in continuing your education and training and staying current within the application security domain.
Requirements : - 12 years' experience performing security assessments of a wide variety of systems, applications and technologies which include both proprietary and industry standard protocols.
- Expert knowledge and experience performing manual security reviews of application source code for security vulnerabilities written in various languages including : .Net (C#, VB), C++, . - Expert level skills with application security testing tools including : Burp Suite Pro, Kali, Checkmarx, sqlmap, nmap, Wireshark, etc.
- Expert knowledge of the Open Web Application Security Project (OWASP) Top 10 vulnerabilities most critical web vulnerabilities and how to identify and remediate them.
- Advanced knowledge of application reverse engineering and using tools such as : Java decompilers, .Net decompilers, IDAPro, etc.
- Advanced knowledge of UNIX/Linux/Windows.
- Advanced knowledge with scripting languages such as: Python, bash, Powershell, etc.
- Experience with drafting of Security Standards, Reference Architectures and Secure Technical Implementation Guidelines.
- Have a passion for application security testing and be able to share your passion and learnings with teammates and customers.
- Self-motivated and a self-starter (If you have a question, find the answer, ask somebody, figure it out, and communicate). - Excellent Oral and Written communications skills.
- Deep knowledge of security frameworks like OWASP and experience with API security.
- Strong experience in source code review and security testing methodologies (SAST, IAST, DAST, RASP). Nice to have : - Certifications such as GWAPT, eWPTx, OSCP, OSWE, CISSP, or other relevant certifications are highly preferred.
(ref:hirist.tech)