Senior Application Security Analyst
REPORTS TO NAME/TITLE
We are currently seeking a motivated, experienced, and highly skilled Senior Application Security Analyst to join our global cybersecurity team in India. As an integral part of our international operations, this individual will work remotely to identify, manage, and mitigate application security vulnerabilities to our organization.
TriNet is a leading provider of comprehensive human resources solutions for small to midsize businesses (SMBs). We enhance business productivity by enabling our clients to outsource their HR function to one strategic partner and allowing them to focus on operating and growing their core businesses. Our full-service HR solutions include features such as payroll processing, human capital consulting, employment law compliance and employee benefits, including health insurance, retirement plans and workers’ compensation insurance.
The Senior Application Security Analyst is a highly technical individual with a strong understanding of web application security and software development lifecycle (SDLC). Working closely with other members of the team and reporting directly to the Security Engineering Manager, you will assist in the day-to-day operation of the TriNet’s global app sec program. This will include (but is not limited to) developing new ways to detect and mitigate application security vulnerabilities. This position will also monitor, detect, response and lead any incident response related to application security. As a long-term goal, this position will analyze to discover anti-patterns within Trinet application ecosystem for making long lasting impact to how Trinet builds its software.
• Develop secure software testing and validation procedures
• Develop threat model based on customer interviews and requirements
• Capture security controls used during the requirements' phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.
• Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.
• Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
• Apply coding and testing standards, apply security testing tools and conduct code reviews.
• Identify security implications and apply methodologies within centralized and decentralized environments across the enterprise’s computer systems in software development.
• Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.
• Assists in providing consultation for the design, delivery and quality of secure data application and infrastructure solutions through risk management, guidance, education, and information security expertise for business areas
• Documents and calls out policy exceptions or compliance deviations for review and risk assessment
• Other projects and responsibilities may be added at the manager’s discretion
JOB REQUIREMENTS AND QUALIFICATIONS
· Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or a related field.
Training Preferences (licenses, programs, or certificates):
· Certified Ethical Hacker (CEH)
· Certified Risk and Information Systems Control (CRISC)
· Offensive Security Certified Professional (OSCP)
· OWASP Membership and demonstrated usage
· 5+ yrs. experience in a security or similar technical role (with appropriate experience)
Other Knowledge, Skills and Abilities:
· Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
· Knowledge of computer programming principles
· Knowledge of cybersecurity and privacy principles and methods that apply to software development.
· Knowledge of Personally Identifiable Information (PII) data security standards.
· Knowledge of Personal Health Information (PHI) data security standards.
· Knowledge of programming language structures and logic.
· Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
· Knowledge of software debugging principles.
· Knowledge of software design tools, methods, and techniques.
· Knowledge of Agile software development models
· Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
· Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language).
· Knowledge of interpreted and compiled computer languages.
· Knowledge of secure software deployment methodologies, tools, and practices.
· Skill in scripting language (Python)
· Developer background in Python Django is a big plus
· Skill in penetration testing principles, tools, and techniques.
· Skill in developing and applying security system access controls.
· Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
· Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
· Skill in using code analysis tools.
· Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
· Skill in integrating black box security testing tools into quality assurance process of software releases.
· Skill in secure test plan design (e. g. unit, integration, system, acceptance).
· Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
· Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
WORK ENVIRONMENT/OTHER INFORMATION (Travel required, physical requirements, on-call schedules, etc.)
· Minimal travel required.
· Work in a hybrid mode (remote + office days) in Bangalore
· The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Please Note: TriNet reserves the right to change or modify job duties and assignments at any time. The above job description is not all encompassing. Position functions and qualifications may vary depending on business necessity.