Application Security Analyst - Vulnerability Management

Key Responsibilities :

- Support vulnerability assessments using SAST, DAST, and SCA tools.

- Collaborate with DevOps, Vulnerability Management teams, IBM and third-party PenTest service providers to ensure security is integrated into CI/CD pipelines.

- Manage the vulnerability management lifecycle, including triage, tracking, and remediation.

- Provide remediation guidance and recommendations to developers on vulnerabilities.

- Maintain and evolve secure SDLC practices and documentation.

- Deliver security awareness and secure coding training sessions.

- Demonstrate a willingness to learn, research, and innovate to improve the overall AppSec posture.

- Administer threat modeling activities.

Technical Skills and Experience Required :

- Experience with the following tools:

- DAST: Qualys, Rapid7

- SAST: CodeQL, Checkmarx, Fortify, SonarQube

- SCA: Dependabot, JFrog Xray

- API Security: Understanding of API security principles and tools like Postman, OWASP API Security Top 10,

or API gateways with security features.

- 47 years of hands-on experience in application security or secure software development.

- Strong understanding of OWASP Top 10, CWE/SANS Top 25, and secure SDLC.

- Understanding of vulnerability management lifecycle and remediation workflows.

- Understanding of threat modeling concepts.

- Familiarity with penetration testing tools (e.g., Burp Suite, Metasploit, Nmap).

- Proficiency in at least one programming language (e.g., Java, Python, JavaScript, C#).

- Familiarity with CI/CD tools (e.g., Jenkins, GitLab CI, Azure DevOps).

- Exposure to cloud security (AWS, Azure, or GCP) is a plus.

Soft Skills Required :

- Strong analytical and problem-solving skills.

- Excellent verbal and written communication.

- Ability to work independently and collaboratively in cross-functional teams.

- Strong documentation and reporting capabilities.

- Proactive, detail-oriented, and eager to learn.

Good to Have Skills :

- Working knowledge of DevSecOps practices and tools.

- Experience with container security (Docker, Kubernetes).

- Certifications such as CEH or equivalent.

- Familiarity with threat modeling tools (e.g., Microsoft Threat Modeling Tool, IriusRisk).

- Experience in Agile/Scrum environments.