Application Security Analyst

As an application security analyst working closely with the penetration testing team you will be expected to: • Contribute both on an individual application basis as well as a global strategic basis to raise the application security posture across the organisation • Identify application security vulnerabilities through a combination of security assessment techniques • Develop security standards and guidelines for applications developed within the company • Disseminate specialist application security knowledge to both the security and development communities • Innovate towards the goal of establishing novel application security services and the enhancement of existing services Accountabilities: • Support application security assessment coverage across the company • Work with global team and external entities to deliver Application Security services • Analyse and review security issues identified for confirmation and false positive removal • Supplement automated assessment techniques with manual security assessment approaches • Communicate security issues identified and mitigation/remediation options to development community • Generation of reports and follow up on issues until closure • Develop and deploy tools, techniques and capabilities to enhance ability to deploy, scan and assess the global estate • Develop automation scripts to enhance and automate the process • Technical competency to conduct a web application assessment • Working knowledge of related technology from IBM, HP etc is desired • Address questions on application and information security topics • Explain security topics at varying levels of technical levels, from high-level concepts to executives, to low-level technical details to developers • Develop Application Security course syllabus based on target audience proficiency level • Create training materials including demonstrations, hands-on lab and multimedia • Engage various corporate departments (e.g. HR, Estate Management, Learning Management System etc) for training roll-out • Develop secure development guidelines • Manage secure development certification of developers • Promote the awareness and importance of application security education

• Application security assessment techniques and their relative merits, including: SAST, DAST and manual assessment
• Have Application Security vulnerability knowledge including OWASP, SANS Top 25, etc
• Understanding of Application security issues, coding standards, strong communication skills and ability to articulate them to developers and project managers
• Understanding of the security mechanisms associated with Applications, operating systems, networks and databases
• Awareness of emerging Application Security technologies
• Knowledge of multiple programming languages: Java(J2EE/Android), C#.NET, C/++/JNI, Objective C
• Experience working with web and mobile development projects as a developer or security subject matter expert
• Knowledge of Secure Development Lifecycle methodologies, development platforms (Java and .NET etc)
• Knowledge of middleware platforms (e.g. Websphere)
• Knowledge of compilers, build processes, executable file formats and OS/VM execution environments (ARM/x86, iOS, Android, Windows, *NIX, JVM, CLR etc)
• Familiarity with web application multi-tier architectures and operation (session management etc)
• Wider SDL activities such as threat modelling and design review
• Familiarity with process of reverse engineering and associated low-level technologies such as assembly (RISC/CISC) and tools (IDA etc)