DTICI_Product Security_ Sr. Consultant_T8

Tasks

Role: Azure Cloud Security Consultant

No of years’ experience required: 4 to 9 years

Job Role: You play a key leadership role in assisting software development teams in securely architecting/operating their software applications by aligning to the SE secure software development principles, industry standard methodologies, and compliance and privacy requirements.

Interface with application development team to champion and ensure adoption of security standards/best practices and remediate security gaps

Lead Cloud Security domain’s such as (security automation, Container Security, Azure Infrastructure Security)

Perform application threat modelling based on STRIDE/DREAD model, use C4 data model architecture to identify the trust boundaries and security gaps to create application risk profile and remediation recommendations.

Ability to assess the current processes, identify improvement areas and suggest the technology solutions

Always look for opportunities to optimize, automate and secure the daily workflow

Perform application threat modelling based on STRIDE/DREAD model, use C4 data model architecture to identify the trust boundaries and security gaps to create application risk profile and remediation recommendations.

Ability to assess the current processes, identify improvement areas and suggest the technology solutions

Candidate should be from security background with automation skills.

Mandatory skills:

Solid understanding and experience with securing public cloud deployments and distributed systems using Azure and understanding of security challenges involved in deploying Cloud Applications

Experience with threat model, network security, cryptography, authentication, authorization and RBAC.

Performed DevSecOps tool integration, IaaC preferred

Proficient in any one programming language (e.g. Golang, Python,Powershell.)

Identify security flaws, vulnerabilities and misconfigurations in infrastructure, Cloud including PaaS, IaaS.

Perform Container and Kubernetes Security Assessments from build to deployment and Prioritize remediation with guidance

A good knack for automating infrastructure security as much as possible.

Knowledge on Web/infrastructure security assessments (pen tests, security checks)

Vulnerability discovery and variant hunting. Using the best available and most appropriate methodologies, including threat modeling, penetration testing, security design analysis, fuzzing, SAST and DAST, etc., you will examine chosen target systems in detail, looking for vulnerabilities and weaknesses, perform variant hunting looking for larger patterns, conduct qualitative and quantitative analysis over those patterns, and drive solutions upstream in a data-driven, shift-left fashion

Expert level knowledge regarding multiple classes of vulnerabilities, including cross-site scripting, buffer overflows, SQL injection, TOCTOU (Time of Check Time of Use) vulnerabilities, cryptographic weaknesses, insecure direct object references, and others, and the ability to communicate about them to technical and non-technical audiences

Knowledge and understanding of Python, Java, SQL, JavaScript, NodeJS, etc. is a huge plus

In-depth knowledge of security vulnerabilities not just limited to OWASP Top 10

Ability to do manual source code review, visualize the root cause and deep dive without the automation tools.

Experience working and configuring Static application security testing (SAST) and Dynamic application security testing (DAST) and Software Composition Analysis (SCA) tools

Qualifications

Experience with security testing tools (Qualys, Nikto, Burp suite, Appscan, WebInspector, SQLMAP, Kali, etc.)

Knowledge of how to execute security testing (SAST, DAST and SCA) implemented via a CI/CD pipeline.

Understanding of application security patterns including web application security (OWASP top 10, XSS, injection vulnerabilities, CSRF, platform security hardening), and mobile security (device fingerprinting, Mobile authentication, and key exchange) strategies.

Knowledge of the IaaC and CI/CD, Application Security, DevOps is desirable

OSCP, eWPT, eMAPT, Certified Kubernetes Application Developer (CKAD) or similar certifications will be a plus

Arbeitsort