Application Security Analyst

Key Responsibilities
Support vulnerability[Support][Done] assessments using SAST, DAST, and SCA tools.Collaborate with DevOps , Vulnerability Management, IBM teams [Add vulnerability management team, IBM and third-party PenTest service provider][Done]to ensure security is integrated into CI/CD pipelines.Manage the vulnerability management lifecycle, including triage, tracking, and remediation.Provide remediation guidance and recommendations [Have a think about this.][Rephrased.]to developers on vulnerabilities.Maintain and evolve secure SDLC practices and documentation.Deliver security awareness and secure coding training sessions.Demonstrate a willingness to learn, research, and innovate to improve the overall AppSec posture.Threat Modeling tool administration[Re-visit.][Rephrased].3. Technical Skills and Experience RequiredExperience with the following tools:- DAST: Qualys, Rapid7- SAST: CodeQL, Checkmarx, Fortify, SonarQube- SCA: Dependabot, JFrog Xray- API Security: Understanding of API security principles and tools like Postman, OWASP47 years of hands-on experience in application security or secure software development.Strong understanding of OWASP Top 10, CWE/SANS Top 25, and secure SDLC.Understanding of vulnerability management lifecycle and remediation workflows.Understanding of threat modeling concepts.[This should be at the top of our requirement.][Done]API Security Top 10, or API gateways with security features.Familiarity with penetration testing tools (e.g., Burp Suite, Metasploit, Nmap).Proficiency in at least one programming language (e.g., Java, Python, JavaScript, C#).Familiarity with CI/CD tools (e.g., Jenkins, GitLab CI, Azure DevOps).Exposure to cloud security (AWS, Azure, or GCP) is a plus.4. Soft Skills RequiredStrong analytical and problem-solving skills.Excellent verbal and written communication.Ability to work independently and collaboratively in cross-functional teams.Strong documentation and reporting capabilities.Proactive, detail-oriented, and eager to learn.5. Good to Have SkillsWorking knowledge of DevSecOps practices and tools.Experience with container security (Docker, Kubernetes).Certifications such as CEH or equivalent.Familiarity with threat modeling tools (e.g., Microsoft Threat Modeling Tool, IriusRisk).Experience in Agile/Scrum environments.