Trek is seeking an application security analyst to join our growing global Information Security team.
The candidate should have a high-level understanding of the modern cyber security landscape, a background in application development, secure coding practices, static and dynamic code analysis, and / or process documentation.
It is important to be able to guide and assist developers in creating robust and secure code, as well as be able to build and / or assemble tools.
The candidate will need to have the ability to understand the business and the impact of code defects on business risk, as well as the ability to communicate technical details in a business context.
It is essential for the candidate to have the continual drive to learn new techniques and new technologies to expand their skillset, as well as the ability to share that information with others.
Application Security Program Support (80%)
Participate in security testing and assessments. Develop comprehensive security test suites and processes with developers and QA teams
Evaluate and prioritize newly discovered or reported software and implementation vulnerabilities by risk
Interact with other departments to communicate status and priority of open vulnerabilities and understand the current state of remediation to resolution within defined timelines
Review and remediate vulnerabilities as assigned
Develop, maintain, and report quality metrics on application vulnerability status, trends, and level of risk
Create training and informational materials for development and QA teams on common application vulnerability types (e.
g. OWASP Top 10, CIS controls) and Secure Software Development Lifecycle framework
Work closely with folks in governance and compliance roles to ensure compliance with applicable rules and regulations, such as PCI-
DSS, GDPR, CIS controls
Application Security Analysis and Maintenance (20%)
Analyze static code analysis reports for internally developed applications
Maintain demonstrable knowledge of current vulnerability exploitation techniques
Maintain dynamic and static analysis toolsets to ensure scans are accurate and running regularly
Collaborate with 3rd-party security product and service vendors to track and understand open security issues and effectively apply security tools to the application environment
Bachelor’s degree in computer science, information systems, electrical engineering, or other related field; or equivalent work experience
5 years’ work experience in application development, IT, or cybersecurity, with at least 2 years’ in application development
Demonstrated ability to meet deliverables, timetables, and deadlines
Must have experience writing technical documentation
Possess personal integrity and display highly ethical behavior to inspire confidence in others
We prefer to see someone that has experience in four or more of the following : Secure Software Development Lifecycle (architecture, design, and methodologies)Threat modeling (STRIDE, DREAD)Understanding of Security frameworks and regulations (OWASP, CIS, PCI-
DSS, GDPR, NIST)Source code review (automated and manual)Understanding of SOAP and RESTful APIsCommon understanding of OAuth and SAML protocolsStrong understanding of transport level encryptionWeb, mobile, desktop, and / or embedded application vulnerability scanning and penetration testingUnderstanding of application reverse engineering
Experience in at least two of the following toolsets strongly preferred : Web application security test suites, such as BurpSuite or OWASP ZAPVulnerability scanners, such as Tenable, OpenVAS, or QualysCode analysis tools, such as SonarQube, Microsoft Security Code Scan, or Veracode
Understanding of continuous integration methodology and associated tools
Experience with web and application servers such as IIS, Jetty, Tomcat, and Nginx
Experience with database servers such as Microsoft SQL Server, CosmosDB, and Oracle DB
Experience with cloud and web platforms such as Microsoft Azure and Docker
Proficiency in building and automating tasks with a scripting language, such as PowerShell, Bash, Python, Ruby, Node.js, or Groovy
Understanding of cyber security threats, risks, vulnerabilities, and attacks, leading to insight about threat actor motives, tactics, and techniques
Knowledge of current and emerging security and information technology standards and practices