Information Security Analyst

The Security Analyst is responsible for performing secure and quality code reviews to identify vulnerabilities, conducting vulnerability assessments and penetration testing across web, API, and mobile applications, and executing SAST and DAST methodologies. They utilize code scanning tools to perform application security testing, analyze results, and provide actionable recommendations. The role also involves offering technical guidance on secure coding practices and conducting technical due diligence on third-party applications and integrations to ensure security compliance.

Key Accountabilities

1: Vulnerability Assessments & Penetration Testing (VA/PT):

• Conduct comprehensive VA/PT across IT Infrastructure including Servers, Web Applications, APIs, and mobile applications.
• Conduct thorough analysis on current state and future state assessments of IT Infrastructure through Active directory, Servers, Cloud technologies, Networking, Endpoint security, Email security, Office365 and perimeter security.
• Execute Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
• Monitor security infrastructure components, ensuring their availability, performance, and adherence to security policies.
• Conduct penetration testing for iOS and Android applications to uncover platform-specific vulnerabilities.

2: Secure Development Practices:

• Collaborate with application engineers during the development and deployment of new applications to implement security design and controls through the stages of Software Development Life Cycle (SDLC).
• Perform both quality and secure code reviews to ensure adherence to security standards.
• Identify vulnerabilities and weaknesses in application code through manual and automated techniques.
• Provide technical guidance and support to development teams on secure coding practices.
• Collaborate with development teams to remediate vulnerabilities identified during PT assessments.
• Conduct technical due diligence on new applications including assessing their architecture, performance, scalability, and compliance with security standards.
• Knowledge of cloud platforms and understanding cloud security frameworks to identify technical risks as part of due diligence.
• Collaborate with cross-functional teams to address identified risks and ensure continuous improvement in application security and compliance.
• Perform annual due diligence reviews on the prior conducted due diligences, for deployed applications.

3: Business Performance

• Identifies and documents information security risks and proposes mitigating controls.
• Investigates and responds to security incidents.
• Actively researches, evaluates, and drives next generation security technologies and solutions to solve the organization's requirements.
• Manages solution development and deployment that adheres to best practices.
• Comply with company policies and procedures and maintain up to date documentation of all system configurations, approvals, user manuals etc.
• Maintain the ISMS documentation and processes required for ISO 27001.
• Implement controls required by Federal or Local Government Laws & Regulations in the technical security controls managed by ABH IT.
• Adhere to Green IT policy and apply environmentally friendly practices in daily work routine.

Experience Required:

• Minimum 5 years of hands-on experience in offensive security.
• Knowledge of common vulnerabilities (e.g., OWASP Top 10, CWE/SANS Top 25) and their remediation strategies.
• Proficiency in SAST, DAST, and mobile penetration testing methodologies.
• Certifications like OSCP, GWAPT, CEH, or similar are preferred but not mandatory.
• Proven experience conducting secure and quality code reviews.
• Familiarity with tools like SonarQube, Checkmarx, Burp Suite, or similar is preferred.
• Strong understanding of secure SDLC.
• Strong analytical and problem-solving skills.
• Ability to work collaboratively in a team environment and communicate effectively with technical and non-technical stakeholders.