Aavalar is looking for an Application Security Consultant for a large financial institution in the Wilmington/Newark area. This is a great role for an individual looking to make a difference in the IT security area. This person must be able to interact with various business units and system administrators.
Consultant’s Title: Security Engineer
Work Location: Wilmington/Newark, DE
Is Telecommuting possible: No
Work environment: Beautiful private office, state of the art technology, with onsite cafeteria, very friendly, business casual.
Who does this position will report to: Team lead
Why is there a need for a consultant/contractor: Growing department with a lot of work that is un-touched.
What is the start date of the contract: ASAP
What is the anticipated length/scope of the contract: Slated for 6 months, could be extended but no guaranteed.
What is the size of department: roughly 5-10 people
What projects will the consultant be involved with: Application Risk. The individual will ensure the Security of all applications and systems running in the BCUS domain. This includes understanding all existing web based (Java & .NET) and other third party applications running in the environment, reviewing security provisions of all new applications and major changes in the environment.
– Support projects within the SDLC and Agile environments with applications security testing penetration testing and vulnerability management functions.
– Perform Web / Mobile application security assessments and penetration testing on projects and/or releases; produce detailed risk reports with identified vulnerabilities and remediation recommendations.
– Conduct static and dynamic code analysis as needed to support release cycles.
– Work closely with development team during the envisioning and development process to guide secure design and secure coding practices.
– Manage web application firewall through log analysis, system tuning and
– Evaluate, track, and ensure compliance of high and critical vulnerabilities; develop, maintain and update scorecards to reflect vulnerabilities and communicate to end users.
– Implement security solutions, and provide technical leadership during the design, development, and testing phases of major initiatives.
Role with the group: Security Engineer
– Knowledge of the software development lifecycle in a large enterprise environment including agile processes and practices.
– Experience with performing manual and automated code review and develop/propose /enforce secure coding standards and policies.
– Knowledge of in the OWASP top 10 and related exploitation techniques, including but not limited to cross-site scripting, SQL injections, session hijacking and buffer overflows to obtain controlled access to target systems.
– Good Understanding of various web application architectures and web technologies ( Java, MS .NET etc.)
– Experience in application firewalls, and intrusion prevention systems (e.g. Mod security) Experience with commercial application scanning tools (DAST) like IBM’s AppScan, HP’s WebInspect, etc.
– Experience with commercial static analysis tools (SAST) like HP’s Fortify, Klockworks etc.
In-depth knowledge of any proxying and/or fuzzing tools such as Paros, Burp, WebScarab, OWASP ZAP etc.
– Familiar with WebServices technologies like XML, SOAP, and AJAX.
– Understanding of server and client side application development, Middleware software’s (Oracle’s WebLogic, IBM’s WebSphere, Apache Tomcat)
– Proficiency in utilization of information security tools such as Nmap, Nessus, Burp Suite, Kismet, and Metasploit; manual techniques to exploit vulnerabilities in networks and applications.
– Industry security certifications preferred (CISSP, CISA, CCNA etc)
Industry certifications preferred CEH, OSCP, GWAPT, LPT or ECSA
Additional certification desirable CSSLP and GSSP
Selling point of the job: Up and coming team and department within the company. A real chance to put your stamp on helping take a major company to the next level with IT security.
Work Hours and Schedule: 40 hours, flexible work schedule
Is there travel involved? No travel
Is overtime paid, and is it at straight time? Straight time
Dress Code: Business Casual
Who is involved in the interview process? Manager, Team lead, and team members
Key words: Security, SDLC, Agile, CISA, CISSP, CCNA, .net, Java