SAST/DAST Specialist
Job Summary
Under technical direction the Static and Dynamic Application Security Testing (S/DAST) Specialist enhances the security of the internally developed source code and applications to identify and minimize security vulnerabilities and code weaknesses. This position is a key member of the Application Security Team (AppSec) which manages the Secure Development Life Cycle (SDLC) throughout CNA's Technology organization. This position works closely with project teams across the organization and support multi-faceted engagements spanning legacy and modern technologies.
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Executes day-to-day responsibilities of testing enterprise applications for vulnerabilities both dynamically and statically.
- Establishes vulnerability testing and scanning requirements with AppSec Leadership.
- Supports enterprise policy and technical standards with specific regard to SDLC and secure configuration.
- Partners with other Security and Technology professionals to support and enable strategies for enhanced developer experience.
- Acts as a subject matter expert with the Enterprise Architecture and Infrastructure teams during engagements and project meetings.
- Works with applications both on-premises and in the cloud.
- Understands business requirements and work with them to define appropriate solutions for security objectives while meeting the business need.
- Provides guidance technical expertise and support to team members regarding the SLDC framework and software composition analysis per CNA AppSec standard.
- Participates and leads new projects as needed.
May perform additional duties as assigned.
Reporting Relationship
Typically Manager or above
Skills Knowledge & Abilities
- Solid written and verbal communication skills with the ability to collaborate with peers Technology leadership and team members and internal and external business partners.
- High performance skillset which not only understands the threat spaces as it relates to risks but also able to translate technical gaps to business risk when communicating with senior leaders and other key stakeholders.
- Solid experience with application vulnerability scanning software composition analysis SDLC and programming. Highly skilled with application scanning tools such as Burp Suite Nessus or equivalent.
- Demonstrated experience with a wide range of programming languages: Perl .Net Python database platforms (SQL NoSQL) etc. and with detecting and securing applications from vulnerabilities including the OWASP top 10.
- Solid understanding of application-level security issues and risks. Experience with manual and automated composition analysis tools and techniques.
- Comfort in a diverse technology environment spanning multiple operating systems and architectures.
Education & Experience
- Bachelor's degree in Computer Science or related discipline or equivalent work experience.
- Typically a minimum of four years' related work experience in Information Technology.