UST Globalฎ is looking for talented and creative Application Security SME who will be working with one of the leading FinTech company in the US. The ideal candidate should have the ability to work creatively and analytically in a problem-solving environment. The ideal candidate must possess excellent written and verbal communication skills with the ability and knowhow to collaborate effectively with domain experts and IT leadership team.
Purpose of Role / Short Description
This resource is an expert in Application Security Domain and has 15+ years of overall IT experience, 8+ years of experience in Security Domain with focus on Application Security. This resource will be responsible to provide technical expertise to help us continue to develop strengths with Application Security program. [key skills SAST/OSS/Black Duck/Coverity.
Profile (Experience)
Application Security:
Minimum 8 years of experience in Application security.
Strong knowledge of SSDLC and should hands on threat modeling, design reviews, peer code reviews as part of the secure development lifecycle.
Strong knowledge and understanding of information security practices and policies, including Information Security Frameworks, Standards, and best practices.
Strong knowledge and experience in SAMM 2.0 Assessment.
Must have experience in implementing Threat Modelling and performing Secure Architecture Design Reviews.
Must have experience in writing AppSec standards and guidelines.
Application security testing on web applications, mobile application, network devices and servers
Should have hands on experience with technology and to contribute to the design, development and support of projects with the security recommendations.
Strong knowledge of security frameworks (OWASP-TOP 10, SANs-TOP 25 and OWASP-API-TOP 10) secure coding practices, information security principles & architecture and industry specific auditory frameworks.
Must have Knowledge of main Security-related activities in development such as Risk and Privacy Assessment, Threat Modelling, Security Code Review.
Must have Deep understanding of the nature of security threats, their classification
Must have Knowledge of most common implementations of the Threats in application security(e.g. XSS, SQL Injection, XSRF, buffer overruns, brute force, rainbow tables, DoS etc)
Familiar with existing Security Standards (e.g. PCI DSS, HIPAA, NIST, Common Criteria, etc) and what does it mean to implement compliance with them
Familiar with the tools for various security activities: SAST, OSS and DAST,IAST and SCA including Penetration testing
Key Responsibilities
Hands on experience SAST, OSS, DAST, IAST and SCA including Penetration testing and fuzz testing tools.
In-depth knowledge of NIST/OWASP/SANS/ISO 27001/ISO 27002 standards.
Design tests tools to break into security-protected applications and networks to probe for vulnerabilities.
Provide triage and remediation support after security vulnerabilities are reported.
Application Security:
Minimum 8 years of experience in Application security.
Strong knowledge of SSDLC and should hands on threat modeling, design reviews, peer code reviews as part of the secure development lifecycle.
Strong knowledge and understanding of information security practices and policies, including Information Security Frameworks, Standards, and best practices.
Strong knowledge and experience in SAMM 2.0 Assessment.
Must have experience in implementing Threat Modelling and performing Secure Architecture Design Reviews.
Must have experience in writing AppSec standards and guidelines.
Application security testing on web applications, mobile application, network devices and servers
Should have hands on experience with technology and to contribute to the design, development and support of projects with the security recommendations.
Strong knowledge of security frameworks (OWASP-TOP 10, SANs-TOP 25 and OWASP-API-TOP 10) secure coding practices, information security principles & architecture and industry specific auditory frameworks.
Must have Knowledge of main Security-related activities in development such as Risk and Privacy Assessment, Threat Modelling, Security Code Review.
Must have Deep understanding of the nature of security threats, their classification
Must have Knowledge of most common implementations of the Threats in application security(e.g. XSS, SQL Injection, XSRF, buffer overruns, brute force, rainbow tables, DoS etc)
Familiar with existing Security Standards (e.g. PCI DSS, HIPAA, NIST, Common Criteria, etc) and what does it mean to implement compliance with them
Familiar with the tools for various security activities: SAST, OSS and DAST,IAST and SCA including Penetration testing
Key Responsibilities
Hands on experience SAST, OSS, DAST, IAST and SCA including Penetration testing and fuzz testing tools.
In-depth knowledge of NIST/OWASP/SANS/ISO 27001/ISO 27002 standards.
Design tests tools to break into security-protected applications and networks to probe for vulnerabilities.
Provide triage and remediation support after security vulnerabilities are reported.
Excellent interpersonal, verbal and written communication skills
A flexible attitude with respect to work assignments and new learning
Ability to manage multiple and varied tasks with enthusiasm and prioritize workload with attention to detail
Hands on development using Java / J2EE or. NET Technologies or any Web applications
Strong knowledge and experience in handling tools like
SAST: Fortify, Coverity or Checkmarx
OSS: BlackDuck
DAST: Burp Suite or Acunetix or any
IAST: Hdiv Detection or any
SCA : Black Duck or any
DB Vulnerabilities Scanning : Synk or any
Vulnerability scanning tools: Nessus Professional or any
Penetration Testing: Metasploit or any
API Security Tools: Checkmarx or any
Good understanding of Object-Oriented Analysis and Design
Good understanding of any application web servers
Knowledge of ISO 27k, Governance, Risk and Compliance concepts, standards and frameworks
Experience in using InfoSec assessment/audit tools and/or controls-based industry standard frameworks
Good understanding of DevSecOps practice and DevOps Life Cycle
Familiar with code management systems (e.g.: GitHub/ BitBucket), CI/CD system (e.g.: Jenkins), Docker, Kubernetes, microservice architecture, OAuth 2.0, OpenID Connect.
Good understanding on Network Security and Data Security.
Function Global Information Security
Sub-Function Application Security
Location Onsite or Offshore (US Hours - 7 AM to 4 PM ).
Assessment / Certification Certification such as CISSP, CSSLP, CCSP, CREST, OSCP, CEPT, CompTIA PentTest+ would be of proffered
