Software Development Lifecycle Senior Analyst

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential.
CNA seeks to offer a comprehensive and competitive benefits package to our employees that helps them - and their family members - achieve their physical, financial, emotional and social wellbeing goals.
For a detailed look at CNA's benefits, check out our Candidate's Guide .
A secure Software Development Lifecycle (SDLC) analyst is responsible for the security related design, execution and testing of an application or service and the data it handles. The responsibilities encompass all phases of an application's lifecycle, and include incorporation of the CNA's processes and standards to minimize or eliminate risk to the company, the application or service, and the data.
The analyst will evaluate an application or service using architecture and design documents, code reviews, static testing, dynamic testing, company standards and industry guides and established best practices. When a vulnerability or risk is encountered the analyst will provide recommendations and select security controls to developer teams and stakeholders to minimize or eliminate the risk. The analyst will take what is learned and improve automation, CI/CD pipelines and standards to refine processes for all company apps and services.
JOB DESCRIPTION:
Essential Duties & Responsibilities

• Participate in the implementation of secure Software Development Life Cycle (SDLC), and be responsible for the security solution reviews, security design and technical assessment for business departments
• Research new software development technologies and concepts and make improvement suggestions.
• Improve the secure SDLC, build the standard system, and formulate relevant security standards and requirements
• Read and understand security test reports. Provide advice in patching vulnerabilities and following up with the risk mitigation
• Evaluate the risk points of mainstream application frameworks and develop security solutions to provide security support for each business line
• Build and maintain internal tools to streamline software development process to enhance productivity.

Skills, Knowledge & Abilities

• Solid understanding of OWASP TOP 10 vulnerabilities, and principles, utilizations, patching's and reinforcements of various vulnerabilities
• Understanding of Rapid Application Development, like Waterfall and Agile
• Familiarity with the implementation of enterprise's SDLC process and standards
• Experience in building and maintaining secure SDLC for companies and enterprises, including following and authoring standards
• Familiarity with automation and CI/CD pipelines, and the ability to modify a pipeline to ensure an application meets enterprise standards
• Technical knowledge of black box testing methods and paths, and tools used for manual testing like BurpSuite and ZAP Tool
• Robust with at least one programming language such as HTML/JavaScript/CSS, Java Enterprise, Python, PHP, Go, C, etc.
• Ability to perform source code audits in multiple languages, including HTML/JavaScript/CSS, Java Enterprise, and Visual Basic/C#/.Net
• Proficiency in reading architecture and design documents, threat models, trust models, and related codes
• Ability to interview development teams to understand the design and implementation of an enterprise application and its interactions with third party services
• Understanding of Operating Systems concepts and security services, like permission systems, ACLs, Keychains, APIs, etc. The ability to design an app that takes advantage of the security services.
• Understanding of Platform design and security services, like Java, .Net, Google Cloud Platform (GCP) or Amazon Web Services (AWS). The ability to design an app that takes advantage of the security services.
• Understanding of different architecture and design choices, like an on-prem app versus an app in Google Cloud Platform (GCP), Amazon Web Services (AWS) or Salesforce.
• Understanding of common vulnerabilities for components such as authentication, authorization, auditing, session management, secure storage, secure channels and logging. Experience with independently exploring business logic vulnerabilities would be a bonus
• Understanding of common security controls, and the ability to place security controls to mitigate vulnerabilities
• Understanding of risk management frameworks, like NIST Risk Management Framework (RMF) and SP 800-53a

Education & Experience

• Bachelor's degree, in a related discipline, or equivalent
• Typically a minimum of seven years of related work experience.
• 2+ years of software development experience
• 2+ years working with open source projects
• 2+ years working with automation and CI/CD pipelines
• 2+ years working with stakeholders, like development teams, business owners, management and vendors
• 3+ years of experience working with secure SDLCs, processes and standards
• 2+ years of experience vulnerability mining at the framework level is preferred
• 3+ years of experience with common SAST/DAST tools, like Coverity, HP Fortify, Snyk, and Veracode
• 2+ years working with cloud services like Google Cloud Platform (GCP), Amazon Web Services (AWS) and Salesforce
• 2+ years of experience working with risk management frameworks, such as NIST Risk Management Framework (RMF) and SP 800-53a

#LI-JB1
#remote
CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact [email protected] .