The position is providing Windows application security expertise to wide variety of areas, which include secure software development practices within the SDLC, security configuration management, and Windows application architecture in a cloud. This role will also be focused on working with development and engineering teams. This will include conducting Windows application security reviews and application security tests (web, mobile, web service, and databases). These assessments involve manual testing and analysis as well as the use of automated application vulnerability scanning/testing tools such as AppScan, WebInspect, Burp Suite Professional and/or code review tools such as HP Fortify, Ounce Labs or Checkmarx.
These job functions will require writing a formal security assessment report for each application that provides the findings and recommendations using a standard reporting format. This will be done for application assessments and code reviews. Based on common issues or gaps that are identified, this role will write-up enhanced policies and procedures to address these areas of risk.
This role will be part of a team that is composed of developers, QA testers, Windows administrators, network security, and security architecture. Additionally, there will be other IT and business operations teams to interact with on a regular basis. It is important to be able to present Windows application security information into terms for business leaders to understand and use.
Requirements
Education: Bachelors degree (B.S.) in Computer Science or a related field
Experience: Must have a minimum of 8 to 12 years Windows experience that includes security experience for large Global Enterprise networks.
Required Skills: Must have previous and/or current Microsoft development language experience using some of the following areas: Visual Basic .NET, Visual C# .NET, Visual C++ .NET, Transact-SQL, VBScript, Jscript, Jscript .NET, XML, Visual J++, PowerShell.
Requires Windows applications security architecture experience with a good understanding of threat modeling, security patterns and security methodologies (e.g. OSSTMM).
Relevant Microsoft certifications such as MCSE Solutions Expert and/or MCSD Solutions Developer
Knowledge of OWASP tools and methodologies
Understanding of HTTP and web programming
Good understanding of Information Security standards, frameworks and best practice (e.g. OWASP, ITIL, CoBIT).
Good understanding and awareness of documentation required as part of the secure software development lifecycle.
Excellent communication skills (written and verbal) and able to articulate key messages to a range of audiences.
Preferred Skills:
Relevant professional qualifications / certifications SSCP, SANS, CEH, CHECK, CREST.
Previous professional services consulting experience
Essential Functions
Provide enterprise software development support for testing driven approach, continuous integration, and Agile development practice with Microsoft platforms.
Provide specific security expertise to development and engineering teams. Areas include database access, security testing, authentication methods, implementing encryption, and input validation.
Provide support using Visual Basic .NET, Visual C# .NET, Visual C++ .NET, Transact-SQL, VBScript, Jscript, Jscript .NET, XML, Visual J++.
Provide the ability to work with database teams working with MSSQL Server, SQL, SSIS, SSRS, and other MSSQL specific technologies.
Provide support for MS IIS and/WCF as a delivery platform.
Application integration into a cloud environment such as Azure and AWS.
Provide security testing for Microsoft applications.
Ability to quantify and communicate application vulnerabilities and explain identified risks to developers.
Ability to evaluated technical and functional specifications early within the SDLC identifying possible vulnerabilities and risks.
Leverage knowledge of mobile and cloud applications and how to secure them
Provide expertise on authentication, entitlements, identity management, data leak prevention, data protection, validation checking, encryption, hashing, principle of least privilege, software attack methodologies, etc.
Provide some expertise around code analysis software using such tools as Fortify, Ounce Labs, AppScan, WebInspect, or Burp as well as being able to communicate the how and the why of these types of tools.
Responsibilities and Additional Duties
Work with minimal supervision as an individual contributor
Work with a matrixed team(s) of security consultants and engineers toward successful project completion. | | | |
Manhattan, NY, US
7 November 2024