Security Application Scanning Analyst (with OWASP and AppScan)

Description

Security Application Scanning Analyst (with OWASP and AppScan)

Role

The Security Assurance and Test Team are part of the Security division in charge of the security assurance.

The mission of the SAST team within GSBR is to implement and operate a set of applications security controls through an automated process integrated through the Software Development Life Cycle/s (SDLC). We ensure that corporate policies and OWASP guidelines are uniformly applied by development teams across all business unit.

• Analyse source code using automated static analysis scanning to establish a baseline.
• Correlate findings against the existing databases of known software vulnerabilities, to help identify security flaws during the development phase.
• Increase the software development teams knowledge of secure coding procedures, so the organization can build security with every release.
• Provide developers with guidance to understand, prioritize and remediate vulnerabilities.
• Enforce production scans with a Go-Live criteria: No OWASP Top 10 vulnerabilities.
• Report on key metrics on all scanned applications.

Profile

We are seeking a highly motivated individual with strong code review experience. You must be self-motivated and have the experience, personality, and passion to support developers and designers.

Technical Requirements

The main focus of the work will be in conducting operational activity, analysing source code findings and providing subject matter expertise to developers, using IBM Appscan Source.

Qualifications

Specific qualifications for the Security Analyst position include:

• At least 5 years of experience in IT industry.
• Web application development background in .NET or Java.
• Strong code review experience.
• Must be able to read source codes and detect bad coding practices.
• Must be able to guide developers on how to resolve/fix security issues..
• Strong security knowledge using IBM Appscan Source. or similar tools (Fortify, Veracode, etc)
• Familiar with OWASP, SANS, CWE initiatives.
• Knowledgeable about how security vulnerabilities can be exploited in application code by attackers and what are the coding best practices to prevent these attacks.
• Experience with end-to-end application software security processes including management and remediation of findings.

• Ensure compliance with established standards, policies, and performance guidelines.
• Focus on customers.
• Strive to exceed customer expectations and metrics.
• Build strong relationships with customers.
• Deliver Quality Results
• Stay focused, overcoming distractions and obstacles to achieve goals.
• Carries out assignments with thoroughness, accuracy and attention to detail.
• Act Ethically
• Act in accordance with the company's values.
• Act as a Team Player
• Develops and maintains productive working relationships with team members.
• Actively shares information and expertise.
• Support Change and Innovation
• Maintains a positive attitude in response to change and uncertainty.
• Effectively handles shifting demands and multiple priorities.
• Continually looks for ways to streamline processes, reduce costs and accomplish goals.

Additional Assets

• Experience with Software Development Life Cycle (SDLC).
• Experience using Microsoft Office suite including Word, Excel, Access, Etc.
• Experience using a Service Desk.
• Skills in one of the following languages and technologies: J2EE, .NET.
• Agile knowledge.
• Experience of leading or managing an application software security team would be an advantage.