| Security Engineer Olney, MD- Hybrid-10+ years at Olney, Maryland, USA |
| Email: [email protected] |
|
http://bit.ly/4ey8w48 https://jobs.nvoids.com/job_details.jsp?id=684501&uid= From: Shambhu, SUS Infotech Inc [email protected] Reply to: [email protected] Title : Security Analyst Location: Olney, MD (Hybrid) Duration: 6months/contract to hire Skills: 1. Vulnerability 2. Baselining 3. Software testing 2 references There are three buckets of importance, with #1 being most important. Vulnerability Management Candidates must be able to articulate their process for analysis and describe how they prioritize vulnerabilities. They should be able to talk naturally about where they go for the latest IT Security information blogs, news etc. Baselining They need to fully understand the concept of baselining and articulate how they have participated in it Software Security (Not red team pen testing) They should understand basic web security. They should have experience in scanning code and passing along bugs to developers. Additional Notes: Big burden is finding independent that can do their jobs. Looking or someone is broad spectrum Team size for vulnerability management team- 12 team- have awareness on what is needed on remediation and why. FY24 team- 3 people- 1 FTE, 1 contractor, 1 manager Team of IT folks doing the remediation- hands on to push the patch Someone who understands vulnerability at its core. Need to do more than pressing the export button. Vulnerability management, understanding the tool (Qualys) fine with tenable too. How much analysis do you do with the report. If you are not using tools- how are you staying up to date- News Blogs- after that I saw this in the news and wants to check upgrades . Qualis Preferred- be able to advise remediation team to look at top issues and priority- currently no mitigating right now and its a struggle. It does have a web plug in. SSB bank website hosted with another company we just run the scans. Ex: new Drupal 9 make sure to run scan. Tool issue on KPIs- 0days to critical should be reviewed in 24-48 hours. There is a work flow expectation Framework CIS benchmark- level 1/level 2- most tools scan for benchmarking SOX, GLBA, PCI- PCI being the main compliancy. Baselining- creating rules- leveraging different plug in and scan- this baseline does not match our credentials (CIS)- spin up an initiative and live in vulnerability team- divide and conquer with cross training- very beneficial but not requirement Software Testing- If they helped with identification through scanner or automated software scanning tool. Code review- working with devs- saw this bugs and this is how you could improve code- scan before resubmitting it. Software is lowest He is hiring for the manager positions as well The bank starting working with devs to create code- do not have right tools to scan the code- will be complete rework Developer team- a mix of contractors and FTE and outsourcing Not interested in candidates who come from a government background KNOWLEDGE, SKILLS, AND ABILITIES: B.A. or B.S. in Computer Science, Management Information Systems or related field, or equivalent work experience. Advanced certifications desirable. At least five (5) years of experience in information security administration, vulnerability management or security operations. Security certifications desired. Preferably, one or more of the following: GIAC Enterprise Vulnerability Assessor (GEVA), GCED, GCCC, GPEN, CISSP Proficient with vulnerability management solutions such as Qualys, Rapid7 Nexpose, Tenable Nessus, and open source. Experience with software security testing tools (SAST/DAST) such as Fortify, JFrog, CheckMarx, Sonatype is required. Experience stabilizing systems to run minimal application requirements, least privilege and additional host hardening using CIS Benchmarks. Understanding of Windows and *nix operating systems, endpoint applications, networking protocols and devices. Experience with vulnerability management across Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP). Experience conducting organization-wide vulnerability scanning and remediation processes. Experience with API and Web Application Security scanning and remediation. Experience with securing container-based solutions such as Docker, Kubernetes (K8s), AWS EKS, AWS ECS, AWS Fargate. Prior experience working on a Red Team/ Blue Team / Purple Team is desired. Ability to collaborate with technical and business teams in order to remediate vulnerabilities based on risk. Knowledge of information security standards (e.g., NIST CSF, ISO 2700x, etc.), rules and regulations related to information security and data confidentiality (e.g., GLBA, SOX) and desktop, server, application, database, network security principles for risk identification and analysis. Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle. Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating well. Self-starter requiring minimal supervision. Excellence in communicating business risk and remediation requirements from assessments. Analytical and problem-solving mindset, collaborative, highly organized and efficient. Excellent communication (oral, written, presentation), interpersonal and consultative skills. Thanks & Regards Shambhu Team Lead Recruiter Keywords: information technology golang card Maryland http://bit.ly/4ey8w48 https://jobs.nvoids.com/job_details.jsp?id=684501&uid= |
| [email protected] View All |
| 12:00 AM 27-Sep-23 |