The Delivery Group has a client in the financial services space that is looking for an Application Security Consultant for a 6 month contract to start. The Application Security Consultant will have proven experience conducting code security reviews (using tools such as Veracode, Checkmarx, or App Scan) and a proven understanding of the most common threats against code to avoid vulnerabilities. The Application Security Consultant will be involved in the security risk assessments and application code security support of the clients’ critical systems.
- 5 years of information security experience.
- 5 years experience in financial application and system architecture and development.
- Working knowledge of C, C++, Java and secure coding practices.
- Experience working with static and dynamic security code review tools (Veracode, Checkmarx, App Scan preferred)
- Undergraduate degree in Computer Science, Engineering or equivalent of ten years of experience in the financial system development.
- CISSP designation (CISSP-ISSAP).
- Knowledge of NIST and ISO information security standards.
- Strong analytical and research skills combined with ability to translate theoretical knowledge into practical solutions to the security problems.
- Understanding of security risk management methodologies and frameworks.
- Ability to work with technical and non-technical teams to achieve goals and meet deadlines in a fast-paced environment.
- Provide aggregate information security threat risk assessments on the level of a system, application, and on a level of individual security vulnerability.
Participate in the application / system reviews including reviews of:
- Business, technology, and security requirements.
- Business, technology, and security architecture and design.
- Findings of the security code reviews using automated static and dynamic code reviews.
- Application test results including results of application / system penetration tests.
For the identified vulnerabilities the advisor will:
- Identify business impact of the identified vulnerabilities. The business impact assessment will be based on the analysis of the specific role the impacted system / application component has in the business process combined with the information provided by the business sponsor representative and the project development team.
- Assess likelihood that the vulnerability would be exploited based on the analysis of the system / application architecture, operating platform, programming languages used, exposure to attacks, while taking into account the effect of business process and technology safeguards in place.
- Assess information security risk of the vulnerability based on the business impact and likelihood.
- Provide security assessment of remediation solutions proposed by the development team.
- Provide advice regarding prioritization of the remediation activities.
- Provide advice to the business sponsor regarding the level of acceptable risk.
- Prepare risk acceptances for the cases when remediation of a vulnerability has been postponed.
- Represent Information Security in multiple concurrent projects.
- Identify the risks resulting from the lack of compliance with internal controls and the risks related to assets, while ensuring that adequate controls are maintained.
- Work collaboratively with business and technology teams to identify solutions and actions needed as a result of security and risk assessment issues.
- Interface with technology and business-services vendors, to ensure the organization acquires products and services that adequately protect confidentiality, integrity and availability of informational assets.
Additional (Preferred) Skills:
- Experience in financial business process analysis.
- Financial applications and systems architecture.
- Financial systems and applications security architecture, design, and review.
- IT infrastructure and network security.