Application Security Analyst - Vulnerability Management

Key Responsibilities

• Support vulnerability assessments using SAST, DAST, and SCA tools.
• Collaborate with DevOps, Vulnerability Management teams, IBM and third-party PenTest service providers to ensure security is integrated into CI/CD pipelines.
• Manage the vulnerability management lifecycle, including triage, tracking, and remediation.
• Provide remediation guidance and recommendations to developers on vulnerabilities.
• Maintain and evolve secure SDLC practices and documentation.
• Deliver security awareness and secure coding training sessions.
• Demonstrate a willingness to learn, research, and innovate to improve the overall AppSec posture.
• Administer threat modeling activities.
  

Technical Skills And Experience Required

• Experience with the following tools:
• DAST: Qualys, Rapid7
• SAST: CodeQL, Checkmarx, Fortify, SonarQube
• SCA: Dependabot, JFrog Xray
• API Security: Understanding of API security principles and tools like Postman, OWASP API Security Top 10,
  

• 47 years of hands-on experience in application security or secure software development.
• Strong understanding of OWASP Top 10, CWE/SANS Top 25, and secure SDLC.
• Understanding of vulnerability management lifecycle and remediation workflows.
• Understanding of threat modeling concepts.
• Familiarity with penetration testing tools (e.g., Burp Suite, Metasploit, Nmap).
• Proficiency in at least one programming language (e.g., Java, Python, JavaScript, C#).
• Familiarity with CI/CD tools (e.g., Jenkins, GitLab CI, Azure DevOps).
• Exposure to cloud security (AWS, Azure, or GCP) is a plus.
  

Soft Skills Required

• Strong analytical and problem-solving skills.
• Excellent verbal and written communication.
• Ability to work independently and collaboratively in cross-functional teams.
• Strong documentation and reporting capabilities.
• Proactive, detail-oriented, and eager to learn.
  

Good To Have Skills

• Working knowledge of DevSecOps practices and tools.
• Experience with container security (Docker, Kubernetes).
• Certifications such as CEH or equivalent.
• Familiarity with threat modeling tools (e.g., Microsoft Threat Modeling Tool, IriusRisk).
• Experience in Agile/Scrum environments.