Application Security Analyst

Information Systems Gurgaon, Gurgaon


Omschrijving

Trek is seeking an application security analyst to join our growing global Information Security team.

The candidate should have a high-level understanding of the modern cyber security landscape, a background in application development, secure coding practices, static and dynamic code analysis, and/or process documentation. It is important to be able to guide and assist developers in creating robust and secure code, as well as be able to build and/or assemble tools. The candidate will need to have the ability to understand the business and the impact of code defects on business risk, as well as the ability to communicate technical details in a business context. It is essential for the candidate to have the continual drive to learn new techniques and new technologies to expand their skillset, as well as the ability to share that information with others.

Responsibilities

Application Security Program Support (80%)

  • Participate in security testing and assessments. Develop comprehensive security test suites and processes with developers and QA teams
  • Evaluate and prioritize newly discovered or reported software and implementation vulnerabilities by risk
  • Interact with other departments to communicate status and priority of open vulnerabilities and understand the current state of remediation to resolution within defined timelines
  • Review and remediate vulnerabilities as assigned
  • Develop, maintain, and report quality metrics on application vulnerability status, trends, and level of risk
  • Create training and informational materials for development and QA teams on common application vulnerability types (e.g. OWASP Top 10, CIS controls) and Secure Software Development Lifecycle framework
  • Work closely with folks in governance and compliance roles to ensure compliance with applicable rules and regulations, such as PCI-DSS, GDPR, CIS controls

Application Security Analysis and Maintenance (20%)

  • Analyze static code analysis reports for internally developed applications
  • Maintain demonstrable knowledge of current vulnerability exploitation techniques
  • Maintain dynamic and static analysis toolsets to ensure scans are accurate and running regularly
  • Collaborate with 3rd-party security product and service vendors to track and understand open security issues and effectively apply security tools to the application environment

Qualifications

  • Bachelor’s degree in computer science, information systems, electrical engineering, or other related field; or equivalent work experience
  • 5 years’ work experience in application development, IT, or cybersecurity, with at least 2 years’ in application development
  • Demonstrated ability to meet deliverables, timetables, and deadlines
  • Must have experience writing technical documentation
  • Possess personal integrity and display highly ethical behavior to inspire confidence in others
  • We prefer to see someone that has experience in four or more of the following:
    • Secure Software Development Lifecycle (architecture, design, and methodologies)
    • Threat modeling (STRIDE, DREAD)
    • Understanding of Security frameworks and regulations (OWASP, CIS, PCI-DSS, GDPR, NIST)
    • Source code review (automated and manual)
    • Understanding of SOAP and RESTful APIs
    • Common understanding of OAuth and SAML protocols
    • Strong understanding of transport level encryption
    • Web, mobile, desktop, and/or embedded application vulnerability scanning and penetration testing
    • Understanding of application reverse engineering
  • Experience in at least two of the following toolsets strongly preferred:
    • Web application security test suites, such as BurpSuite or OWASP ZAP
    • Vulnerability scanners, such as Tenable, OpenVAS, or Qualys
    • Code analysis tools, such as SonarQube, Microsoft Security Code Scan, or Veracode
  • Understanding of continuous integration methodology and associated tools
  • Proficiency in .NET (C#), Java, and JavaScript
  • Experience with web and application servers such as IIS, Jetty, Tomcat, and Nginx
  • Experience with database servers such as Microsoft SQL Server, CosmosDB, and Oracle DB
  • Experience with cloud and web platforms such as Microsoft Azure and Docker
  • Proficiency in building and automating tasks with a scripting language, such as PowerShell, Bash, Python, Ruby, Node.js, or Groovy
  • Understanding of cyber security threats, risks, vulnerabilities, and attacks, leading to insight about threat actor motives, tactics, and techniques
  • Knowledge of current and emerging security and information technology standards and practices

We are an E-Verify employer.

For more information, please click on the following links:
E-Verify Participation Poster: English / Spanish
E-Verify Right to Work Poster: English | Spanish