Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Jobs InfoSec Jobs

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Application Security Specialist
Company GfK
Location London, UK
Preferred GIAC Certifications GWEB, GWAPT, GCIH, GPEN, GSEC
Travel 0%
Salary Not provided
URL Not provided
Contact Name Matthew Bullimore
Contact Email matthew.bullimore/at/gfk.com
Expires 2020-04-07

Job Description

GfK
Our world is changing fast. Consumers, users, and buyers are calling the shots. New things become possible every second. And more complicated, too.
Our clients are businesses around the globe. To make the best possible decisions every day, they need to really know what is going on, now and in the future.
We don't have a crystal ball, either. But we love data and science and we understand how to connect the two. We care about attention to detail and accuracy. We are digital engineers who build world-class research, powered by high technology.
Because people who know best lead the way. This is why GfK means Growth from Knowledge.
Background

As an IT Security Specialist, your role will be to work with various technical and business Application owners to address vulnerabilities in GfK systems (GfK currently has over 1,000 public web-sites/services). Working within the Information Security team to ensure that service owners identify a viable plan to remediate issues and/or reduce risk by deploying other compensating controls.

Key Responsibilities
• Creating and launching authenticated and un-authenticated application vulnerability scans on different platforms, using tools such as Veracode/NetSparker/Burp/Zap
• Manually validate findings from vulnerability scans to eliminate false positives
• Work in a fast-paced environment to identify and assist troubleshooting of vulnerabilities identified during application vulnerability scans
• Explain risk and criticality of identified vulnerabilities to business owners/technical teams and advise on remediation activities, including attending development/engineering stand-ups
• Work with business application owners/technical engineering teams on remediation plans and provide assistance to the teams on what to fix and how to fix it
• Responsible for creation of vulnerability tickets based on application vulnerabilities identified during scans, and update tickets as technical remediation plans progress to completion
• Production of remediation re-scans and documentation to confirm vulnerabilities have been remediated, and track closing of tickets
• Create a CMDB of web products and perform a risk assessment
• Perform threat modelling on web applications
• Assist with management and tuning of the Web Application Firewall (WAF)
• Arrange third-party penetration tests
• Support security incidents involving Cloud environments and web services
• Contribute to the application security framework
• Part of the Security Community of Practice (CoP)
• Run static scans/perform code/third-party library reviews to identify security weaknesses
• Conduct risk assessments of web applications
• Take ownership of additional duties as required

Skills:
• Should have the ability to understand customer scenario and application requirements
• Good knowledge of various development technologies, including: .net, php
• Good understanding of vulnerability management concepts and working experience with one or many of these terminologies: Application vulnerability scanning (Authenticated and Un-authenticated), vulnerability prioritisation, vulnerability reduction, vulnerability ticketing, vulnerability remediation, vulnerability closure and vulnerability tracking
• Good troubleshooting skills
• Excellent communication skills and ability to work with global counterparts
• Experience of working on large security remediation programmes
• Forward looking approach to addressing existing & upcoming security challenges

Technical Skills:
• Strong knowledge of OWASP
• Ability to think like a hacker
• Understanding of DAST (Dynamic Application Security Tools), such as Veracode, Netsparker, Zap, Burp, Acunetix (ideally Veracode/Netsparker).
• Domain expert in security with respect to web development and enterprise app development.
• Experience in the software development lifecycle
• Full understanding of remediation logging, planning, and ongoing activities.
• Full understanding of web stack, web security and common vulnerabilities (e.g. SQLi, XSS etc.)
• Development skills to facilitate code reviews or tool development
• Understanding of network devices like firewalls, routers, etc. and platforms such as Windows, Unix, etc.
• Experience in performing vulnerability scanning in cloud and on-prem environments.

Experience:
• Minimum of 5 years’ experience of relevant IT experience, with at least 3 years devoted specifically to Application Security;
• Educated in Cyber Security/Computer Studies/Engineering
• SANS training or GIAC/OSCP/OSWE certification desirable
• Experience working in an Agile/Sprint based delivery environment (using Jira/Confluence or other bug tracking tools) would be an advantage in this role