KGS -DN-IT Assistant Manager - Cyber Assessment

Job Summary Perform information security risk assessments via static code analysis (SCA) of custom developed source code and open-source software libraries. Advise project and development teams on compensating control alternatives, and function as the primary point of contact between IT project teams and cyber security groups. Function as a subject matter expert in software development security, DevSecOps, SAST/DAST scanning, secure CI/CD pipelines, and other cyber security domains.  Principal Responsibilities

• Apply a thorough understanding of information security to perform information security risk assessments of technology enabled projects against industry standard or firm-specific control frameworks. Activities may include a variety of techniques, including onboarding development teams to SAST/DAST/IAST scanning toolsets via secure CI/CD pipelines, performing analysis of scan results, providing guidance to developers on recommended controls and countermeasures, and facilitation of security testing and management of residual risk. Assessment methodologies may include a combination of active and passive testing approaches, including static code analysis, vulnerability scanning of open-source software (OSS) libraries, and automated DAST scanning.
• Advise and guide development and project teams regarding compensating control alternatives where security requirements cannot be met.
• Act as the primary point of contact between IT development, project, and cyber security teams to help ensure that appropriate security remediation measures are implemented prior to deployment of application source code, and that security-related project objectives and timelines are met.   Review evidence provided to close corrective action plans, ensuring that it meets the control objectives.
• Evaluate vulnerabilities/findings within software security scanning tools, recommending and assisting development teams with steps to remediate source code, web server configurations, and open-source software (OSS) libraries while meeting OWASP, SANS, and firm security requirements.
• Assessment techniques may include control and evidence review, penetration testing, or scanning platforms. Stay abreast with the latest security assessment trends, tools, and techniques collect evidence as needed to support security reviews and ensure evidence is properly maintained.
• Perform assessments tests and provide information and recommendations; assessment techniques may include control and evidence review, penetration testing, or scanning platforms. Stay abreast with the latest security assessment trends, security threat landscape, tools, and techniques. Collect evidence as needed to support security reviews and ensure evidence is properly maintained.
• Function as a subject matter expert in several IT security domains including but not limited to software development security, security assessment and testing, security and risk management, access control, cryptography, and monitoring.
• May oversee work product(s) and lead entire small projects, managing deadlines, expectations, and often contributing to staffing decisions and supervising the work performed by more junior staff; provide coaching, mentoring and feedback to such individuals.

Education Bachelor's Degree  Years of Experience At least 5 years of combined experience in Static Code Review, Cyber Security Assessment Type of Experience Experience performing cyber security risk assessments and control reviews of source code and open-source software (OSS) libraries in multiple languages (.NET, Java, Python) via static code analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST) toolsets. Experience in DevSecOps including secure CI/CD pipelining in Github Enterprise and Azure DevOps.  Experience performing cyber security risk assessments and control reviews based on control frameworks such as NIST 800-53, NIST 800-171, FedRAMP, or CMMC; experience conducting active and passive assessments. Qualifications

• Solid foundation of software development security, DevSecOps security concepts and hands on experience in SCA, SAST, and DAST security scanning and remediation; deep knowledge of web applications, web servers, and API; solid understanding of software security and OWASP

Top 10 and SANS 25.

Experience working with scanning tools such as Fortify SCA, Fortify SSC, WebInspect, Mend, Github Enterprise, Azure DevOps, GHAS/GHAzDo, Defender for DevOps, and secure CI/CD pipelines as well as knowledge of common and emerging security risks.

• SANS GWEB, CDP, or DevSecOps Foundation preferred but not required; Other certifications such as CISSP, CISA, CEH are a plus but not required.
• Familiarity with NIST 800-53, NIST 800-171, NIST 800-66, CMMC, NIST Framework, ISO, HITRUST, PCI, and/or other relevant control frameworks.
• Demonstrated experience understanding of security principles, IT security controls and related technologies and products.

Strong verbal/written communication, problem solving, analytical and independent judgment skills to support an environment driven by customer service and teamwork. Ability to positively influence, mentor and be a credible source of knowledge to less experienced team members.