Cybersecurity Vulnerability Assessment Analyst
Location: Buffalo, NY Function:
Performs security vulnerability assessments to identify, analyze, and report vulnerabilities. This includes: Conduct scans of network assets (e.g., hardware, servers, operating systems, and software) associated with applications and systems to identify vulnerabilities Coordinate penetration testing activities and red team testing to identify and evaluate potential vulnerabilities in various information systems and hardware. Coordinate static code testing and analysis to identify security flaws in coding. Responsibilities
Conducts scans and tests on a predetermined and adhoc basis. Identifies critical vulnerabilities within the network, information systems and applications that could be exploited.
Uses automated tools (e.g., Qualys, Nessus) to perform scans.
Validates report findings to reduce false positives.
Uses automated tools (e.g., Archer eGRC) to assign, track and escalate issues regarding vulnerability remediation.
Provides subject matter expertise regarding vulnerability management to asset owners. Tracks and validates remedial actions. Ensures compliance with information security policy and regulatory requirements. Compiles and tracks vulnerabilities over time to provide historical trend reporting and key risk indicators.
Performs vulnerability management system administration functions as required.
Adheres to audit requirements. Facilitates penetration testing with third party service providers on web-based applications, networks and computer systems. Provides guidance, recommended controls, and countermeasures regrading risk management (or identified vulnerabilties). Evaluates findings and associated risks from penetration tests, and communicate findings and recommended remediation with stakeholders. Coordinates red team testing including results reporting, tracking findings, and remediation follow-up and escalation. Manages security code reviews through SaaS. Tracks findings from static code analysis and ensures coding issues are addressed in a timely manner. Presents periodic reports to management regarding the security posture of developed application code. Use of independent judgment and discretion within assigned limits. Minimum Qualifications
Bachelor’s or related degree in Computer Science or related field, or equivalent in work experience
5 years of professional experience, with 3 years of experience working in information security or a similar discipline.
Experience with vulnerability management including scoring and categorizing vulnerabilities as they relate to various business applications.
Minimum of 2 years of hands-on experience with security tools such as scanners, monitoring and detection, malware protection, security analysis tools and compliance tools (both network and host-based solutions).
Familiarity with Mobile and Wireless penetration testing methods to include experience with social engineering techniques.
Knowledge of programming concepts for secure coding.
Experience with static code analysis and common tool sets.
Working knowledge in the application security domain (OWASP, etc.)
Understanding of web services architecture and protecting public APIs.
Current knowledge of the latest vulnerabilities and programming exploits.
Proficient with MS Office Suite (e.g. Word, Excel, PowerPoint)
Experience with and knowledge of application security architecture (e.g., operating systems, firewalls, IDS, etc.)
Solid understanding of network protocols (TCP/IP)
Ability to manage multiple projects simultaneously that involve key stakeholders across a globally-distributed and federated enterprise.
Strong knowledge of prevalent operational security tactics and techniques. This includes things such as vulnerability exploits and countermeasures, remote access Trojans and related persistence techniques, later movement, social engineering, etc.
Strong customer service skills.
Excellent written and oral communication and presentation skills
Ability to work as a team and relate to coworkers Preferred Qualifications
Experience in cryptography, PKI, SSL, Key management, network security, systems security
Exceptional technical writing skills and attention to detail
Exceptional communication and advocacy skills, both verbal and written, with the ability to express complex and technical issues using clear and concise language
Ability to collaborate and communicate effectively and tactful with both business-oriented executives and technology-oriented personnel
Capable of working independently in unstructured situations
Experience with reverse engineering
Programming experience in one or more of the following languages: Ruby, Python, Perl, C, C , Java, and C#
Knowledge of network protocols and design
CISSP/GSEC/GSLC/GXPN/GPEN/OSCP/GWAPT or similar certifications