Responsible for application security policy development and maintenance at the enterprise level. Monitoring compliance with corporate Information Security policy and applicable law. Working with the application development teams, the Sr. Application Security Analyst will monitor, assess, and fine-tune the Application Development policies through incident monitoring and analysis, as well as tracking remediation of system/application vulnerability assessment scan findings and 3rd party risk assessment reviews, as required.
20% - Lead work with developers to consult and refine security checkpoints in the SDLC that are based on the PCI Data Security Standard and other industry-accepted doctrine such as NIST SP 800-115 and/or ISO security standards.
20% - Proactively identify and develop secure coding standards that are based on industry-accepted best practices such as OWASP Guide, SANS CWE Top 25, or CERT Secure Coding to address common coding vulnerabilities.
20% - Use automated tools to perform source code security analyses to identify vulnerabilities and attack vectors in web applications.
10% - Consult with information security analysts to refine web application penetration testing methods and breadth of security services.
10% - Obtain and review all required artifacts as part of go, no go analyses at security checkpoint phases in the development cycle.
10% - Assist with periodic security risk assessments, IT security audits, and management reporting.
5% - Review and coordinate changes to information security policies, procedures, standards, and audit work programs in a continuous improvement model.
5% - Train developers in the use of industry standard tools to conduct static code reviews prior to software being implemented in a production environment.
· Experience with code scanning toolsets such as Fortify and Ounce
· Experience with Web Application Firewalls
· Knowledge of OWASP tools and methodologies
· Understanding of HTTP and web programming
· Knowledge of common security requirements within ASP.NET application
· Knowledge of standard SDLC practices
· Minimum of 5 years work experience in application security
· Minimum of 5 years of IT or software development experience
· Ability to complete tasks and deliver professionally written reports for clients
· Ability to present findings to technical staff and executives
· Strong ethics and understanding of ethics in business and information security
· Proficient English language written and oral communication skills
· Understanding and familiarity with common code review methods and standards
· Experience with static analysis tools (e.g., IBM Appscan Source, HP Fortify)
· Experience with vulnerability scanning tools (e.g., Qualys, Nessus, Nexpose, Saint)
· Experience with web application vulnerability scanning tools (e.g., Qualys, IBM AppScan, HP Webinspect)
· Degree in either Computer Engineering, Computer Science, or Information Systems Management
· Experience with high level programming languages (e.g., Java, C, C++, .NET (C#, VB))
· Experience with web application development (e.g., ASP.NET, ASP, PHP, J2EE, JSP)
· Possess current security certifications (e.g., CISSP, CEH)