Static Analysis - Application Security Consultant Job in Principal Financial Services

Reporting Relationship (Job Titles Only):

This position reports to: Delivery Manager

Direct Reports:

Description

Position Title: Consultant

Business Unit: Information Security & Risk

Date Written:

Position Purpose: The application security consultant is responsible for working with application development and infrastructure teams to ensure applications are designed, coded, and implemented securely. S/he will be will act as a subject matter expert on application security design review, code review, and may assist dynamic analysis activities. This is a hands-on technical position that you will find yourself collaborating with multiple groups across the organization. Strong communication skills are needed to explain complex security to a wide variety of technical levels. Experience as a full-time developer for some stretch in a candidates career is essential.

Essential Functions: In order of importance, list the essential functions (9 maximum) of this position and estimate the percentage of time spent on each (for non-officer). Begin with an action verb and describe an end result. Note: Accountabilities transfer directly to the performance appraisal form.

1. Recognized as a go to person for internal product application security vulnerability & engineering questions/requests

2. Perform and review secure code reviews in multiple programming languages, using tools like the Fortify SCA stack.

3. Triage other's SAST results, review reported false positives, and assist developers in remediating vulnerabilities. Help others do the same.

4. Troubleshoot SAST service integrations with on-premise and cloud infrastructure, facilitate vendor or broader team support, and help refine vague requests from teams.

5. Can think about problems from an out-of-the box perspective, doesn't always default to industry norms

6. Strong ability to analyze and resolve cyber security issues.

7. Ability to Conduct design review, code review, and dynamic analysis

8. Serve as a subject matter expert for application development teams

9. Ability to Communicate effectively with a wide variety of technical levels

Role Description

Perform web and mobile application testing, source code reviews, embedded, API, thick client security assessment review

Required Skills

1. This position requires the candidate to have at least two years of development experience in an enterprise environment with one or more of the following languages: Java, C#, and/or JavaScript, with credit for exposure to Python, Powershell, R, Scala, Ruby, COBOL, & more.

2. Experience with enterprise applications and achieving a high level of attack resistance (architecture, identifying & analyzing trade-offs, development, support, and troubleshooting)

3. Strong interpersonal and communication skills ability to work in a team environment

4. Ability to work independently with minimal direction self-starter/self-motivated

5. Willingness and aptitude to learn new programming languages and new development tooling

6. Experience using MicroFocus Fortify (or verifiable experience with one of its enterprise competitors) to review application code for security vulnerabilities

7. Strong understanding of and the ability to apply CVSS scoring to specific risk assessment challenges

8. Strong understanding of common coding weaknesses and approaches to their mitigation

9. 5+ Years of Experience in Application Penetration Testing, Secure Development Life Cycle (nice to have)

10. Sound knowledge of common web application security vulnerabilities (OWASP Top Ten, SANS Top 25, WASC, etc.) and programming patterns that lead to them, as well as remediation techniques

11. Sound Knowledge on Network Protocols.

12. Working knowledge of authentication and identity management technologies

13. The ideal candidate will also have scripting abilities in one or more of the following: Python, PowerShell, JavaScript, etc.

14. Experience integrating code scanning capabilities with tools such as: Jenkins, Bamboo, TFS, CircleCI, TeamCity.

15. One or more of the following certifications: CISSP, CSSLP

16. Direct, hands-on experience managing infrastructure

17. Full-stack knowledge of IT infrastructure: Applications, Databases, Operating systems (Windows and Linux)

18. Threat modeling of services and applications that tie to the risk and data associated with deployed applications in given business contexts

19. Experience with other static code analysis tools such as Checkmarx, AppScan Source, FindBugs, FindSecurityBugs, or Coverity

20. Experience using BurpSuite and/or Wireshark for troubleshooting and analysis

21. Knowledge about and experience performing application vulnerability assessments (AKA: app pen tests)

22. Exposure to or participation in Red Team Blue Team exercises

Key Responsibilities

1. Perform static code security analysis on a broad spectrum of application types that use a range of build tools and build environments and help developers do the same.

2. Perform component risk analysis using WhiteSource on-premise services and help developers do the same.

3.Work with individual application developers (and teams) to analyze specific code-level vulnerabilities along with their remediation. This requires sensitivity to context and assessment of trade-offs associated with various options.

4.Install, configure, use and maintain development languages, SDKs, & IDEs used across Principal companies, the Fortify SSC on-premise stack, and the WhiteSource on-premise component risk stack

5.Be the leader-teacher and educate developers on security risks and risk management in order to scale security knowledge across our development teams. Effective communications are critical to your success in this role. You should be able to translate complex technical security issues and risk management opportunities into meaningful contributions that address relevant business needs.

6. Remain vigilant for opportunities to enhance our application risk management practices as well as to optimize those already in place.

7. Remain self-aware. You will not always be the smartest individual in the room. Listen. Learn from others. Apply what you learn to enhance and scale the SCSA and OSSR services to best meet the needs of our various constituencies.

8. Perfom web, API endpoints, Thick client, embedded, mobile Application Vulnerability testing.

9. Meet with application team to collect information and determine scope of testing

10. Install, configure, use and maintain scanning and testing tools. Knowledge/Experience of working with required tools, Burp Suite & IBM Security AppScan, Veracode, Interactive TCP relay, winhex, echo Mirage is required.

11. Manually verify security vulnerabilities identified by automated tools

12. Perform manual testing to supplement results of automated scanning and testing tools

13. Provide status and resolve issues that impact testing as required

14. Document identified security vulnerabilities and related matters in a clear, concise and timely manner

Role Description

Perform web and mobile application testing, source code reviews, embedded, API, thick client security assessment review

Required Skills

1. 5+ Years of Experience in Application Penetration Testing, Secure Development Life Cycle ( nice to have)

2. Sound knowledge of common web application security vulnerabilities (OWASP Top Ten, SANS Top 25, WASC, etc.) and programming patterns that lead to them, as well as remediation techniques

3. Sound Knowledge on Network Protocols.

4. Experience with enterprise applications (architecture, development, support, and troubleshooting)

5. Working knowledge of authentication and identity management technologies

6. Strong interpersonal and communication skills ability to work in a team environment

7. Ability to work independently with minimal direction self-starter/self-motivated

Key Responsibilities

8. Perform web, API endpoints, Thick client, embedded, mobile Application Vulnerability testing.

9. Meet with application team to collect information and determine scope of testing

10. Install, configure, use and maintain scanning and testing tools. Knowledge/Experience of working with required tools, Burp Suite & IBM Security AppScan, Veracode, Interactive TCP relay, winhex, echo Mirage is required.

11. Manually verify security vulnerabilities identified by automated tools

12. Perform manual testing to supplement results of automated scanning and testing tools

13. Provide status and resolve issues that impact testing as required

14. Document identified security vulnerabilities and related matters in a clear, concise and timely manner

15. Meet with the application teams to review, describe and explain identified security vulnerabilities and possible remediation

16. Retest application updates or deployed remediation logic to verify resolution of security vulnerabilities

Added advantages

1. Knowledge of current threat landscape both globally and locally, various cyber security domains, focusing on application security

2. Strong understanding of OWASP, NIST and CAPEC frameworks

3. OSCP, OSWE, ISC2 CISSP, CSSLP, GIAC GWAPT, GIAC GSSP-Java, GIAC GSSP-NET Preferred

Education: Minimum 15 years of formal education

Experience: 7 to 12 years

Skill: Must have fluent English communication skills (spoken and written)

Dimensions: <List any financial dimensions, statistics and numbers that describe the magnitude and impact of the position in business.>