Snyk, Grip Or Checkmarx, Mend (any 2 skills)
OWASP-Mandatory
CISSP- Certification added advantage
Should be responsible for Audit Compliance and Secure Software Development Practise
Need Combination of Development + Audit
Key Responsibilities
Code Analysis, Scanning, and Remediation
- Security Tool Configuration : Configure and operate security scanning tools (e.g., Snyk, Grit, Checkmarx, Coverity, Mend etc.) to scan applications and interpret results to identify potential security flaws.
- Static and Dynamic Code Analysis : Perform static and dynamic code analysis to identify vulnerabilities in the source code. Help App teams in adopting best practices.
- Vulnerability Remediation : Work directly with development teams to guide them in resolving identified vulnerabilities and promote secure coding practices.
- Issue Prioritization : Prioritize critical security issues and escalate them for immediate remediation when necessary.
Security & Privacy Architecture
- Security Assessments : Conduct in-depth security assessments to identify potential attack vectors, vulnerabilities, and risks in the application architecture and source code.
- Recommendations : Provide actionable recommendations to development and architecture teams to address security gaps and ensure compliance with security standards.
- Security Design : Assist in the design of secure application architectures that meet both business and security requirements.
SDL Coaching and Best Practices
- SDL Awareness : Conduct Security Development Lifecycle (SDL) Coaching and Assessments with development teams to raise awareness of security practices and ensure they align with best security practices.
- Security Best Practices Adoption : Guide teams in adopting and integrating Comcast Security practices into their SDLC, focusing on secure coding, testing, and deployment.
- Coaching & Mentoring : Provide ongoing coaching and mentoring to developers to help them understand the importance of security throughout the development process.
Compliance Lead (CGA, PCI, CPP)
- Regulatory Compliance : Participate in security risk assessments and ensure that applications comply with relevant industry standards and regulations (e.g., PCI-DSS, CGA, CPP).
- Audit Preparation : Assist application teams with preparation for security audits, providing guidance before and after audits to address any issues.
- Documentation : Ensure that all security compliance requirements are well documented and tracked.
Research and Continuous Improvement
- Threat Intelligence : Stay updated on the latest security threats, vulnerabilities, and emerging trends in application security to proactively mitigate risks.
- Tool & Framework Evaluation : Evaluate new security tools, frameworks, and technologies that can improve the effectiveness of security code scanning and remediation. Conduct comparative analysis and provide recommendations.
- Process Improvement : Continually assess and improve security processes within the development lifecycle to enhance overall security posture.
Required Qualifications
- Experience : 8+ years of experience in application security, including hands-on experience with code analysis, security testing, and risk assessments.
- Technical Skills :
- Strong understanding of secure software development practices.
- Familiarity with security tools such as Snyk, Grit, Checkmarx, Mend and other static/dynamic code analysis tools.
- Knowledge of security vulnerabilities (e.g., OWASP Top 10, CVEs) and remediation techniques.
- Experience with common security frameworks and methodologies (e.g., OWASP, NIST, CIS, PCI-DSS).
- Proficient in at least one programming/scripting language (e.g., Python, Java, C#, JavaScript).
- Compliance Knowledge : In-depth understanding of industry compliance standards such as PCI-DSS, CGA, and CPP.
- Communication Skills : Excellent written and verbal communication skills with the ability to interact with technical and non-technical teams alike.
Preferred Qualifications
- Certifications : CISSP, CISM, CISA, or equivalent security certification is highly preferred.
- Experience with Cloud Security : Knowledge of security best practices in cloud environments (AWS, Azure, GCP).
- Experience with DevSecOps : Experience with integrating security practices into DevOps pipelines and workflows.
