Application security Consultant: | Almawarid Group
Employment:
Full Time
The systems security development specialist is responsible for evaluating the security of the software and applications. He/she should be involved in the complete software development lifecycle.• Determine the required security controls. • Assist in software design reviews. • Identify functional and/or performance test cases. • Conduct a risk assessment when a system, software or application undergoes a change. • Conduct secure code reviews. • Identify and implement security mechanisms to resolve issues in software development. • Perform software quality assurance testing. • Implement security measures for solving issues identified during software acceptance phase. • Conduct vulnerability assessment activities prior to deploying the application. • Evaluate and communicate the software testing results with the design team and stakeholders. • Develop documentation for software programming and development, and secure software / system testing and validation. • Develop and implement an application security program across the organization with periodic reviews to assess effectiveness. • Develop secure coding standards and procedures, derived from leading security practices and industry standards, across all platforms. • Develop a process for project risk rating to drive and inform SDLC rigor (e.g. threat modelling), which will be part of the SDLC process. • Conduct security assessments on applications when in staging mode and provide risk assessment report for application owners before deploying them in production.• Define an IT/OT application testing framework where regular reviews and mandatory checkpoints are conducted against defined standards prior to design completion.• Develop a code integrity process where code signing is performed consistently & integrated in SDLC process and code obfuscation is applied wherever applicable. • Conduct security assessments on applications in production. • Review the IT/OT security controls for applications targeted with cyber threats. • Maintain a centralized repository for SDLC processes integrated with regular tracking processes. • Document a list of requirements where all intellectual property and production code are held in escrow. • Develop guidelines to include application security testing and for mobile applications.• Train testers on coding process using security test cases. • Identify and assign personnel responsible for application security. • Develop a process for conducting SAST and DAST activities on all developed applications• Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to identify vulnerabilities and weaknesses in applications before deploying into production. • Develop a platform to allow users to report bugs/issues in the applications. • Implement a WAF to ensure protection of critical and externally facing the company applications. • Ensure WAF logs are captured, archived and integrated to the SIEM solution. • Create and maintain an inventory of all IT/OT applications including criticality and sensitivity ratings, reviewed at least once a year. • Maintain a whitelist of IT/OT applications and application components authorized to be active on a host along with a list of trusted applications from vendors. • Perform periodic scans to detect deviations from the baseline configuration standards.• Develop schedule to periodically review Web Application Firewall (WAF) signatures based on the changes to application use cases and design changes. • Develop training materials and implement training on application hardening relevant to all stakeholders.
Knowledge: • Network components, their operation and appropriate network security controls and methods. • Cybersecurity and privacy principles as they apply to software development. • Programming language structures and logic. • Interpreted and compiled computer languages. • Critical information systems that were designed with limited technical cybersecurity controls. • Data security standards relating to the sector in which the company operates. • Embedded systems and how cybersecurity controls can be applied to them. • Intrusion detection and prevention system tools and applications. • Complex data structures. • Local and wide area networking principles and concepts including bandwidth management.• Secure configuration management techniques. • Software debugging principles. • Software development models.• Software engineering. • System design tools, methods and techniques, including automated systems analysis and design tools. • Knowledge of web services. • Secure coding techniques. • Software quality assurance process. • Developing software in high-level languages.• Developing software for UNIX or Linux.Qualifications: • Bachelor’s degree in computer science, information systems, or related field. • 10+ years of experience in information security. • 7+ years of experience in security testing of software. • ISTQB certifications, or equal certifications• Bachelor’s degree in computer science, information systems, or related field. • 10+ years of experience in information security. • 7+ years of experience in security testing of software. • ISTQB certifications, or equal
We are a national group formed on the foundations of social responsibility and building the acquired value with hard work and quality of outputs that contribute to creating a fertile production environment for our esteemed customers so that they can present their work in accordance with standards of balanced performance that ensures continuity and reduces the expected risk. More
