The Information Security Specialist interacts with team members, and clients on security projects, production support efforts, regarding scanning, vulnerability assessments, penetration tests and authenticated and unauthenticated application assessments, logical security reviews, line of business and vendor assessments. As such they provide both technical support and non-technical support for a broad range of IT security programs and processes related to Information Security and both entity and application assessments. This person should possess experience in planning, conducting and directing research and/or development work on complex vulnerability projects. Past experience should include origination and application of new and unique approaches to application and infrastructure security, in relation to identified risk issues, and possess experience in coordinating and liaising with diverse departments, divisions and organizations. The ideal candidate would be strongly application focused with a good understanding of network based security. Vulnerability scanning tools, assessment techniques, development and application security technique knowledge through areas such as SANS, OWASP and other security vulnerability protection practices.
CISSP Certification, CEH, OSCP, GPEN, Masters level degree in related IT or Security Assurance field preferred.
- 3+ years experience of Professional Web-Application Development or Source Code Review (Java/J2EE)
- Knowledge of web architecture and protocols (HTTP(S), TCP/IP, ARP, SMTP, DNS, etc.)
- Must understand how data flows through an application and connected components (SMTP, LDAP, Database servers) and common software security issues and remediation techniques (OWASP top 10, SANS top 25, etc.)
- Must be able to use SOAP UI to test the web services.
- Must have prior knowledge on security testing on JBOSS middleware like SOA-P, JBoss AS, JBoss EWS, JBoss BRMS/Drools, ESB, HornetQ, BPM, jBPM, SEAM
- Experience in Medicare and Health Sector
- Familiarity with 508 Requirements
- Familiarity with Redhat Linux
- Proven ability to work within agile process framework, incl. SCRUM and Sprints
- Understanding of WS-Security, including SSL/TSL, addressing, SAML, JAAS/LDAP
- Undesstanding of XML gateways (DataPower, Layer7 etc.) and configuring policies for SOAP based and REST based services
- Must have gateway administrative experience
- Penetration Tester, vulnerabilities, Nmap, Nessus, MetaSploit, Burp suite, HP Fortify, testing, security
- Have a working knowledge of commercial and open source security scanning tools is a must.
- Conduct penetration, vulnerability and web application testing, risk assessments.
- Provide inputs to manage and develop an emerging threat model to assess and disseminate threats related to the enterprise in regard to current vulnerability posture.
- Improve the system processes for scanning, and assessments by identification and recommendations for process improvement