Technical Consultant - Application Security

Introduction
At IBM, work is more than a job - it's a calling: To build. To design. To code. To consult. To think along with clients and sell. To make markets. To invent. To collaborate. Not just to do something better, but to attempt things you've never thought possible. Are you ready to lead in this new era of technology and solve some of the world's most challenging problems? If so, lets talk.

Your Role and Responsibilities
This role requires extensive knowledge and experience in identifying and providing recommendations to security risks specific to software applications hosted in AWS & Azure cloud environments in-line with industry standards & best practices. It requires expertise in areas such as secure coding practices, interface review, API security review & threat modeling, security testing techniques, and compliance requirements. You will lead all the technical discussions with application owners & customer stake holders and provide guidance to internal teams in executing security assessments. We are looking for an experienced resource with strong knowledge & skill set to support the application security assessment part pf DevSecOps track.

Required Technical and Professional Expertise
Technical skills:

1. Experience in AppSec toolchain. Eg tools:- Burp Proxy, ZAP, Checkmarx, Synopsys etc etc.
2. To help product team to implement/integrate Security tool set into DevSecOps CI/CD (Jenkins) pipeline.
3. Should be familiar with Secure-SDLC phases, Good in OWASP Standards & guideline and ASVS.
4. Hands-on to perform both white & grey box AppSec test in Static Application Security Testing(SAST), Dynamic Application Security Testing(DAST), S/W composition analysis (SCA), S/W dependency scanning.
5. Acquaint in AppSec posture management, Review Security Vulnerability Reports & false positive analysis.
6. Familiar with IT Policy Framework covers Backup Restoration & Disaster Recovery, Logging monitoring reviews, validate the Configuration & System Integration reviews.
7. Expert in Manual & tools-based penetration testing experience (Grey & Black Box) for Applications, ReST based Web APIs or Web Services, and report findings with fix remediations & recommendations to dev team.
8. Architecture Design / Solution Outline Reviews from security perspective with Architect & Product team to suggest solutions for secure architecture.
9. Threat Modelling Analysis using any of STRIDE / PASTA methodologies or SD Elements.
10. Logical Access Model Review -Good understanding on User access models, RBAC & various authentication & authorization, SSO and Federated identity management, basic of Identity Access Management[IAM], Privilege Access model[PAM].
11. Guiding development team for Secure Coding best practices & verification to suggest Secrets scanning in Product IDE using plugins in Bit bucket/Code repo.
12. Capable of executing Secrets scanning, Container Security using Aqua, Analyse Infrastructure As a Code (IaC) Scanning reports and Terraform & Checkov reports.

Project Management & Soft skills:

1. Handling Jira tool & align with Agile Sprints, Weekly & monthly reporting.
2. Good Communication skills to support geo-diverse teams includes Dev/Product team, Infosec and management.
3. Self-learn and pro-active to drive security team and Self-managed to prioritize individual task.
4. Understanding complex cloud, on-prem, hybrid & multi cloud architectures to ensure the design covered key security aspects and latest implementations like Microservices, AI BOTs & IOT to secure architecture etc.
   1. Knowledge on Enterprise Security Architecture Framework to SABSA, TOGAF, COBIT certifications.
   2. Client-Server, Legacy, Monolithic, Microservices Architecture, Well-Define Architectures in AWS Cloud.
   3. Should have work experience in Migration & Cloud Modernization or digital transformation projects.

Preferred Technical and Professional Expertise
AWS Cloud certification preferred or Knowledgeable in MS-AZURE or Google Cloud & additionally SAP, Salesforce etc.