Candidate should have:
- Minimum 5+ years of professional experience in application security, penetration testing, security assessment, secure software development, or related field.
- Extensive knowledge of dynamic scanners like Palo Alto Prisma or VeraCode.
- Extensive knowledge of the OWASP Top 10.
- Experience with vulnerability risk and impact assessment.
- Experience integrating security capabilities in cloud and application lifecycle management platforms, especially in a DevOps model.
- Extensive knowledge of the secure development lifecycle.
- Extensive knowledge of static analysis tools and flaw triage such as HP Fortify, IBM Rational, Veracode or Coverity, FindBugs, FindSecurityBugs, Brakeman, and open-source scanning tools such as Sonatype CLM.
- Extensive knowledge of vulnerability scanners like Qualys and Tenable.
Preferred:
- Extensive experience in application security and ethical hacking.
- Extensive experience exploiting web, mobile, and application security vulnerabilities.
- Extensive experience in software development.
- Extensive experience integrating secure coding techniques with product teams.
- Professional certifications such as CISSP, CISM, OSCP, and CEH.
Job Responsibilities:
- Identify weaknesses and vulnerabilities that affect the confidentiality, integrity, and availability of corporate protected, sensitive, and confidential information and data.
- Conduct Static Application Security Tests (SAST) and Dynamic Application Security Tests (DAST) using VeraCode.
- Work within the DevSecOps model to secure containers within ROSA, Tekton, and OpenShift pipelines.
- Possess knowledge of CI/CD orchestration tools such as Jenkins, Tekton, GitLab, or Bamboo.
- Provide operational support for container security tools (e.g., Palo Alto Prisma, Aqua).
- Perform baseline image validation of new container template images.
- Perform vulnerability scans on container environments.
- Develop, test, and maintain containerized applications security.
- Troubleshoot connectivity or operational issues.
- Ensure security requirements are implemented within various stages of the system development lifecycle; work closely with development teams to pen test new features within internally developed applications.
- Apply software development skills (e.g., Java, C#.NET, JavaScript) to recommend secure coding practices.
- Validate and address vulnerability/threat findings from static and dynamic analysis tools.
- Characterize threats and provide recommendations for remediation; manage remediation efforts to completion.
- Develop and present findings and remediation reports to team members across all department areas and levels of the company.
- Perform security reviews of software designs and assist developers to ensure quality and robustness of internal products.
- Conduct security assessments against web applications and APIs across various technology stacks.
- Ensure adequate security requirements and privacy by design are built into all architecture/infrastructure/projects.
- Integrate threat modeling practices into the application testing lifecycle.
- Impart application security and ethical hacking expertise into team processes.
- Drive improvements in the security testing practice, including execution methodology and metrics.
- Partner effectively with development and infrastructure teams to integrate security.
- Drive awareness and knowledge of security among developers.
- Communicate technical issues to non-technical leaders effectively.
- Continually improve proficiency in application and API exploitation, tools, techniques, and countermeasures.
Notes:
- There will be a technical screening call as well on teams so candidates should be available for 15-20mins to take that call today only.
- The candidate needs to be local as 2nd round will be in person.
Focus on the below skills:
1. Container Security & Experience:
• Priority is on candidates with strong container security experience (e.g., Kubernetes, OpenShift).
• Additional focus on cloud experience, though it’s secondary if the candidate excels in container security.
2. DevOps with Security Focus:
• Looking for candidates with a solid DevOps background, combined with security knowledge (particularly rare but desired).
• Experience with CICD pipeline, GitLab security, and container-related security.
3. Skill Combination:
• Ideal candidates will have a mix of container security, cloud exposure, and DevOps/security experience.
• While they don’t need all the skills, strong proficiency in at least two of these areas is crucial.
4. Security Knowledge:
• General understanding of security best practices is essential.
• Security certifications (e.g., Security+) are a plus, but not mandatory.
• Candidates must demonstrate knowledge of why security is critical in relevant areas.
