Senior Security Consultant- DevSecOps
Location: Unites States
CyberProof is a cyber security services and platform company whose mission is to help our customers react faster and smarter – and stay ahead of security threats, by creating secure digital ecosystems. CyberProof automates processes to detect and prioritize threats early and respond rapidly and decisively.
CyberProof is part of the UST Global family. Some of the world’s largest enterprises trust us to create and maintain secure digital ecosystems using our comprehensive cyber security platform and mitigation services.
CyberProof is seeking a Senior Security Consultant:
At the core of what we do is our people. The Security Operations Group of CyberProof consists of a global team of 250+ highly talented people including experienced security operations experts, certified cyber security experts, researchers and analysts, project leaders, consultants, and sales professionals. Individuals and teams in this group work closely with client cyber security teams and customer CISOs, CIO’s and/or senior business management on business & cyber security strategies and solutions.
This individual will have an extensive background in SDLC Security and Risk Management and work with customers to help prepare security policy and design templates, guides, documentation, policies, procedures, frameworks that are linked to cyber based activities. From there, the person will demonstrate how to use the documentation and map these risks to specific techniques and mitigation methods.
Working with customer Info Security and AD teams the person will create design documentation, enhance existing templates, understand existing architectures, configuration requirements, and response requirements. This work will be conducted through a knowledge acquisition process and a series of workshops with customers.
This position will be based at Chicago or Washington DC, USA, and will be required to work closely with client and UST Global/CyberProof stakeholders. This position will report to the Project Manager and Program Administrator.
Key Responsibilities for the DevSecOps Consultant
· Understand current tools managed by Infosec, i.e., SonarQube, White Source, Contrast, CI/CD Pipelines, configuration policies, scripts, reporting etc.
· Review current processes for security vulnerability identification & remediation scanning including Application scanning (SAST (Static Application Security Testing) & DAST (Dynamic Application Security Testing)) and remediation strategies, SDLC processes within JIRA
· Assess current CI/CD pipeline implementation across application portfolio.
· Review and analyze reports produced on a weekly basis. Assist in aggregating findings across relevant stakeholders.
· Perform gap analysis of current scanning solution, recommendations for new tools (e.g., Zero North), process improvement and roadmap for implementation
· Recommend process improvements and associated implementation roadmap
· Advise on design of integrated SAST, SCA (Software Composition Analysis) & DAST with CI/CD pipeline across application / technology patterns
· Develop reporting templates and recommendations for improved communication
· Review current process of vulnerabilities identified in Scans and associated remediation process.
· Perform review of current policies configured within tools such as Protegrity, CyberArk related to PII/PHI, credential and password storage, process of data tokenization.
· Define DevSecOps processes for SAST and DAST scanning using various tools like SonarQube, WhiteSource and Contrast.
· Understand and mature the process of secret scanning and remediation.
· Develop processes to reduce the scanning window from week to days via coordinating with the stakeholders across the AD, Teams
· Review the application portfolio and determine exposure related to PHI/PII for each of the applications. Conduct discovery discussions of PHI/PII data with AD teams.
· Review the current lifecycle process for certificates, keys, and credentials rotation.
· Recommend solutions for vulnerability remediation (for ex: patch deployment) and follow-up for closure.
· Recommend remediation strategies. Assist AD teams to implement the strategy.
· Continuously engage with development teams in sprint on an ongoing basis
· Conduct awareness sessions on SDLC (software development lifecycle) security and best practices.
· Monitor & track vulnerability issues and liaison with developers and track them to closure.
· Track & review vulnerability defects raised within JIRA and assist development teams to fix issues in closure.
· Engage AD and developer teams to understand the GitHub code, CI/CD findings, pipeline.
· Publish security metrics monthly, based on existing and proposed improvements.
· Continuously monitor and update vulnerability inclusion & exclusion rules within SAST & DAST tools
· Periodically update & publish development guidelines around scanning policies.
· Work with the customer, implement process for continuous scanning of GitHub code repositories, notification, and automated creation of defect against application within Jira.
· Track vulnerability issues and liaison with developers to resolve them as much as possible.
· Govern the follow-up process with AD and developer teams to communicate the findings and have it fixed by the teams. Adhere to the defined SLAs.
· Identify metrics related to Security violations/vulnerabilities.
· Provide Weekly reports on aggregate findings
Must have Skills:
· Minimum of 10-15+ years of experience in Information Security.
· Through understanding of SDLC Security and DevSecOps vulnerability remediation
· Must have experience on managing DAST and SAST scans, secure code reviews and processes, programs, and adherence to SLAs
· Must have a strong application security coding background
· Proficient in API development and automated testing using at least two major platform or framework – REST, GraphQL, SOAP, and its associated testing frameworks.
· Highly proficient with source code management and various branching strategies using git in at least one of the major providers e.g. GitHub(preferred), GitLab, Azure DevOps, Bitbucket.
· Hands on experience with at least one major CI/CD platforms in administering and configuring secure Build and Release pipelines – Jenkins/Azure DevOps, Gitlab CI, GitHub Action (preferred),, Bamboo, Travis CI, Circle CI, AWS Code Pipeline, AWS Code Deploy.
· Hands on experience with SAST,DAST and automations tools (SonarQube (preferred), ZeroNorth, Semegrep)
· Highly proficient in managing build configuration in Java (Maven, Gradle) or JS (npm, yarn, etc.).
· Proficient with Containers and building, securing and orchestration with Containers technologies like Docker, Docker Compose, Docker Swarm, Kubernetes, etc.
· Experience in working with Infosec, developers and leadership team to understand the Infosec requirements and work with business and developer community.
· Must have SharePoint skills
· Strong communication and negotiation skills
· Client facing roles and dealt, driven and as a Single Point of Contact with InfoSec teams in a consultative and advisory activities
· Ability to communicate, interpret Infosec and playback requirements to a non-technical security team (ie non-functional requirements)
· Ability to conduct workshops with over 200+ team members to explain SAST and DAST vulnerability remediation processes and why it needs to be followed on a daily basis.
· Fundamental understanding of Incident Management and Security Operations.
· Demonstrated process orientation and ability to manage complex tasks.
· Strong communicator and fluent in English.