Lead IT Risk Technologist
Location: Altoona, PA
Job Type: Full Time / Permanent
Our Cyber Security team is looking for a Cybersecurity engineer with expertise in the Application Security domain. In this role, you will work with software development partners to identify and mitigate the security vulnerabilities in our applications. You will also act as an application security SME for the development and security communities.
- Own and develop the Secure SDLC Strategic Plan and execution of the Secure SDLC process.
- Perform dynamic and static application security testing against web applications, thick-client applications, APIs and mobile applications.
- Perform assessment of cloud architecture and configuration.
- Perform application threat modeling.
- Perform findings/vulnerabilities analysis, document results, engage with high level personnel, discuss findings, provide recommendations, explain testing techniques, and stay current on weaknesses and vulnerabilities.
- Engage customers on the implementation and improvement of secure software development lifecycle.
- Assist in the execution of appropriate information security policies, standards, procedures, checklists, and guidelines
Education & Experience:
- A four-year degree in Computer Science, Management Information Systems, Computer Engineering; or a four year degree in another field of study which includes courses in computer programming, systems analysis, system development, or systems engineering is preferred.
- 5 years of applicable experience in a technology environment required
- Skilled finding security bugs in several languages, including Java
- Experience in application penetration testing required
- Understanding of web services architecture and protecting APIs
- Intimately familiar with OWASP Top 10, including detection and prevention mechanisms
- Experience with static analysis, dynamic analysis, and runtime analysis toolsets
- Pragmatic approach to security issue prioritization & remediation
- Maintain a continuous personal professional development program; this level requires CISSP certification and commitment to pursue additional training or certifications in risk, security, governance, compliance (e.g., CISSP-ISSEP, CISSP-ISSAP, CISSP-ISSMP, GICSP, GMOB, GCIH, CRCMP, CISA, CGEIT, CRISC, CRMA, CORP, advanced degree)
- PCIP/ISA (PCI Council) preferred