As a Security Champion you will be responsible for leading/organizing all project’s security aspects, ensuring secure SDLC process, secure architecture or operations in place.
RESPONSIBILITIES:
- Lead and coordinate Security Audits for on-going projects: (from Architecture, Process, Risk and Testing etc.)
- Utilize best security practices from various domains (public and private clouds, network, containerization and microservice, S-SDLC, etc.)
- Work as a Security Consultant helping to establish secure development activities in SDLC end-to-end, be able to provide clarifications related to security in development and operations.
- Contribute to building Secure Architecture and Design for the projects.
- Assist with systems’ security baseline (data classification, attacker profile classification, risk assessment and threat modeling.)
- Organize and hold responsibility for system’ vulnerabilities (application – SAST/DAST/Bug Bounty; infrastructure/deployment – CSPM, IaC security, secrets management, etc.; operations – DAST/penetration testing/privileged access review, etc.)
- Contribute to providing security controls against corporate security standards as well as compliance regulations.
- Communicate with customers and teams, be able to convey the message about importance of Secure SDLC, the ways of establishing it.
- Collaborate with other teams (engineering, infrastructure, development, database, security operations, etc.) on physical and logical system design.
REQUIREMENTS:
- 3+ years of relevant professional experience (Software Development, Administrations, IT security, etc.)
- Passion to develop in the field of Security.
- Understanding of at least one Security Development methodologies (e.g. Microsoft SDL, OWASP OpenSAMM, BSIMM etc.)
- Understanding of main Security-related activities in development such as Security Requirements gathering, Risk Assessment, Threat Modeling, Security Code Review.
- Understanding of security threats and their classification.
- Understanding of most common implementations of the Threats (e.g. XSS, SQL Injection, XSRF, buffer overruns, brute force, rainbow tables, DoS etc.) and how they match the general classification.
- Understanding of main security concepts and principles.
- Understanding of main areas of protection and levels of defense.
NICE TO HAVE:
- Familiarity with the tools for various security activities: Static Code Analysis, Pen Testing, Intrusion Detection/Prevention, etc.
- Knowledge of Security Features and Mechanisms provided by at least one OS and development platform/technologies.
- Understanding of mitigation mechanisms for every type of threats.
- Familiarity with existing security standards and regulations experience of requirements implementation.
- Understanding of basic principles of infrastructure security and penetration testing.
- Ability to use the tools to perform actual attacks is a plus.
- Certification in any security area is a plus.