Application Security Consultant

Job description / Role

• The systems security development specialist is responsible for evaluating the security of the software and applications.
• He/she should be involved in the complete software development lifecycle.
• Determine the required security controls.
• Assist in software design reviews.
• Identify functional and/or performance test cases.
• Conduct a risk assessment when a system, software or application undergoes a change.
• Conduct secure code reviews.
• Identify and implement security mechanisms to resolve issues in software development.
• Perform software quality assurance testing.
• Implement security measures for solving issues identified during software acceptance phase.
• Conduct vulnerability assessment activities prior to deploying the application.
• Evaluate and communicate the software testing results with the design team and stakeholders.
• Develop documentation for software programming and development, and secure software / system testing and validation.
• Develop and implement an application security program across the organization with periodic reviews to assess effectiveness.
• Develop secure coding standards and procedures, derived from leading security practices and industry standards, across all platforms.
• Develop a process for project risk rating to drive and inform SDLC rigor (e.g. threat modelling), which will be part of the SDLC process.
• Conduct security assessments on applications when in staging mode and provide risk assessment report for application owners before deploying them in production.
• Define an IT/OT application testing framework where regular reviews and mandatory checkpoints are conducted against defined standards prior to design completion.
• Develop a code integrity process where code signing is performed consistently & integrated in SDLC process and code obfuscation is applied wherever applicable.
• Conduct security assessments on applications in production.
• Review the IT/OT security controls for applications targeted with cyber threats.
• Maintain a centralized repository for SDLC processes integrated with regular tracking processes.
• Document a list of requirements where all intellectual property and production code are held in escrow.
• Develop guidelines to include application security testing and for mobile applications.
• Train testers on coding process using security test cases.
• Identify and assign personnel responsible for application security.
• Develop a process for conducting SAST and DAST activities on all developed applications
• Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to identify vulnerabilities and weaknesses in applications before deploying into production.
• Develop a platform to allow users to report bugs/issues in the applications.
• Implement a WAF to ensure protection of critical and externally facing the company applications.
• Ensure WAF logs are captured, archived and integrated to the SIEM solution.
• Create and maintain an inventory of all IT/OT applications including criticality and sensitivity ratings, reviewed at least once a year.
• Maintain a whitelist of IT/OT applications and application components authorized to be active on a host along with a list of trusted applications from vendors.
• Perform periodic scans to detect deviations from the baseline configuration standards.
• Develop schedule to periodically review Web Application Firewall (WAF) signatures based on the changes to application use cases and design changes.
• Develop training materials and implement training on application hardening relevant to all stakeholders.

Requirements

Knowledge:
• Network components, their operation and appropriate network security controls and methods.
• Cybersecurity and privacy principles as they apply to software development.
• Programming language structures and logic.
• Interpreted and compiled computer languages.
• Critical information systems that were designed with limited technical cybersecurity controls.
• Data security standards relating to the sector in which the company operates.
• Embedded systems and how cybersecurity controls can be applied to them.
• Intrusion detection and prevention system tools and applications.
• Complex data structures.
• Local and wide area networking principles and concepts including bandwidth management.
• Secure configuration management techniques.
• Software debugging principles.
• Software development models.
• Software engineering.
• System design tools, methods and techniques, including automated systems analysis and design tools.
• Knowledge of web services.
• Secure coding techniques.
• Software quality assurance process.
• Developing software in high-level languages.
• Developing software for UNIX or Linux.

Qualifications:
• Bachelor’s degree in computer science, information systems, or related field.
• 10+ years of experience in information security.
• 7+ years of experience in security testing of software.
• ISTQB certifications, or equal certifications
• Bachelor’s degree in computer science, information systems, or related field.
• 10+ years of experience in information security.
• 7+ years of experience in security testing of software.
• ISTQB certifications, or equal

About the Company

We are a national group formed on the foundations of social responsibility and building the acquired value with hard work and quality of outputs that contribute to creating a fertile production environment for our esteemed customers so that they can present their work in accordance with standards of balanced performance that ensures continuity and reduces the expected risk.