Application Security Analyst

Application Security Analyst Location: Jersey City, NJ (2-3 days per week Onsite) Hire Type: Permanent Hire / Full Time POSITION SUMMARY: Client is seeking a Senior Analyst, Software Applications Security, to join the CISO group. The individual will be responsible for assisting with the implementation of an enterprise-wide software application security program. This position will proactively work with the client and agency application development teams, support staff and IT leadership to promote secure software development and active detection of vulnerabilities and exploitable code. The Senior Analyst will be directly involved in management of various application scanning tools, script writing and advising on application vulnerability remediation. The ideal candidate is analytical, understands risk and is knowledgeable in application development. Willingness to learn and flexibility is a must as day-to-day assignments can vary greatly. ESSENTIAL FUNCTIONS: Development experience using Python, BASH, Ruby, or other scripting languages. Understanding of OWASP Top 10 and SANS Top 25. Understanding of software development CWE classes. Understanding of Secure Software Development Life Cycle (SSDLC) Knowledgeable about software development-related CIS controls. Knowledge of NIST-800-53 and OPA hands-on. Knowledge of Zero-trust security will be advantage. Should have exposure to API security. Knowledgeable about modern web application frameworks like Node.js, React.js, Angular, Ruby on Rails, Laravel, etc. Should have experience of Jenkins, GIT, Bitbucket, JFrog, Quay, ECR, Docker, OCP, Kubernetes. Knowledge of cryptography, network, and web related protocols (such as TCP/IP, UDP, HTTP and HTTPS) Experienced in cloud-native and container security - Kubernetes and OCP. Must have hands-on experience of CI/CD scans and cloud security posture management tools such as Prisma Cloud, Aquasec or Wiz. Candidate should have work experience in multi-cloud environments - AWS, Azure, and Google Cloud Platform. Knowledgeable about DevSecOps, Infrastructure as Code, and securing CI/CD pipelines. Should have good knowledge of application security, threat modelling, source code analysis, source code composition, and DAST. Application security tools - Burp Suite, ZAP, Veracode, Checkmarx, Snyk, Thread modeler, Qualys web scanner, Hashicorp Vault, Prisma Cloud, Aquasec and Wiz. Ability to see the big picture and keep it in mind while performing operational activities, vetting vendors and tools, and apply all these things when helping plan the next phases of our software security program. Able to work on multiple projects simultaneously in a fast-paced environment. Use development experience to create necessary scripts to meet various needs of software security program. Assist with management of security champion program with development teams. Assist with management of application scanning program (DAST, SAST, SCA, IAST, etc.), including identifying applications that require scanning, managing on boarding of applications into scanning programs, and working with development teams to understand and remediate findings. Research and present on topics to development teams focused on specific application vulnerabilities or application security areas of interest to teams. Assist with creating, editing, and revising standard policies and procedures and documentation of technical processes. Assist with validating and explaining security vulnerabilities reported via scanning, security researchers, users, etc. Participate as needed in incident response, threat hunts, penetration testing, and other tasks as they relate to application security. Take on additional responsibilities as applicable.