Application Security Analyst

Description:

The Application Security product manager is looking for an Application Security Analyst who will be responsible for working with application development team to analyze application code vulnerabilities and involved in running security scans which include but not limited to SAST, DAST, IAST, Mobile, and ad-hoc dynamic testing. Also, Analyst will play role in extending WAF deployment for large number of applications. The candidate will play a key role in a major cybersecurity transformation initiative of "Shift left and Secure Early" as well as implementing additional security controls in SDLC.

The role entails taking responsibility of analyzing security vulnerabilities and capability to provide mitigation solutions to fix issues by writing secure code, providing guidance to application teams, and coordinating with cross functional teams across the platform.

Key responsibilities:

• Hands-on experience working with DevSecOps pipeline using CICD automation tools like Jenkins, TeamCity, GitLab, GitHub Action, Checkmarx, GitHub Advance Security, BurpSuite, and open-source tools.
• Implement Application Cyber Security Controls/Policies and standards developed by Application Security Program.
• Lead deployment of WAF for existing and new applications
• Ability to demo security vulnerability to application teams.
• Drive application security issues to a resolution.
• Provide a clear guidance to application teams during vulnerability mitigation effort
• Conduct application security assessment using standard Stellantis application security tools
• Collect and report status on application security assessments including milestones, deliverables, timing, tasks, risk areas, and status
• Categorize and recommend assessment strategies for existing and new application development
• Coach development and supplier teams on application security
• Develop user training material and conduct training sessions

Qualifications:

• Bachelor's degree in computer science, Technology or other related field.
• Strong understanding of application architectures, development methodologies, and programming languages.
• Problem-solving skills and the ability to work both independently and as part of a team.
• Technical writing and communication skills to articulate security risks and findings to both technical and non-technical audiences
• Hands on experience reviewing application security secure code preferred in Java, C#, Python etc. popular programming languages.
• Background experience with application development - compiled code, mobile applications, website design, web services
• Hands on experience running SAST, DAST, IAST, SCA and Mobile scans
• Knowledge of security and compliance frameworks like NIST and ISO
• Understanding and experience in NIST SSDF or other secure software development frameworks
• Experienced and knowledgeable in deployment of WAF tools such as Akamai, Cloudflare, Azure Front Door, and AWS WAF etc.
• Knowledge of the OWASP Top 10 and mitigation strategies for each

• Knowledge on techniques of web attacks, DDoS attacks and BOT attacks and management/mitigation controls for them
• Experienced with cloud platforms (AWS, Azure, GCP) and container frameworks
• Knowledge of programming, scripting, and query languages such as Java, SQL, HTML, JavaScript
• At least 5 years of application security analysis, testing and DevSecOps experience.
• Prefer that candidates will have experience in scripting languages.
• Preferable is candidate has GIAC GWEB, ISC2 CSSLP, EC-Council CASE or other comparable professional certificates