Application Security Analyst

Remote- United States

Applications have closed

As a provider of digital banking services to financial institutions, we operate in a highly-regulated industry that requires us to establish and operate mature information security programs.  At Lumin Digital, an Application Security Analyst is responsible for:
* Collaborating with stakeholders through the Product and Software Development Life Cycles to ensure security is built into our offerings from conception through design, implementation, testing, and ongoing maintenance
* Providing expertise and guidance to Product and Development teams on industry best practices related to secure architecture and coding, quality assurance, and protecting CI/CD pipelines
* Implementing and maintaining automated application vulnerability scanning tools, including static and dynamic application security tools (SAST and DAST)
* Recommending, scoping, and coordinating manual application penetration testing assessments through third-party engagements
* Following industry-standard practices to prepare for, identify, contain, eradicate, and recover from application security incidents
* Supporting risk management, compliance, and audit functions to measure and continuously improve the company’s application security posture

* Use and optimize monitoring, reporting, and alerting capabilities to identify, prioritize, and address weaknesses by using research, technical validation, data manipulation, and reporting writing technical skills.
* Maintain knowledge of evolving threat tactics, techniques, and procedures as well as current company and open-source vulnerability disclosures relevant to Lumin Digital.
* Maintain authenticated automated vulnerability scanning systems to ensure they operate regularly and scan effectively.
* Keep accurate and complete records of application security posture and vulnerability detections across a growing and dynamic fleet of cloud servers and remote worker endpoints.
* Serve as a first point of contact to triage, confirm, and prioritize reported application security issues, including from internal sources, client reports, and external reports from security researchers, including from bug bounty platforms.
* Collaborate with clients, auditors, vendors, and the internal security team to validate the security posture of both client-facing and internal applications, which include web interfaces, mobile applications for Android and iOS, microservices, and underlying caching and persistent data stores.
* Upon request, provide architectural and code reviews of Development team deliverables and provide technical recommendations to improve application security posture.
* Enhance and maintain application threat models to inform and prioritize the risk management activities of the Product, Development and Security teams.
* Establish methods to measure aggregate vulnerabilities and risks and regularly review and report to the CISO on the operating effectiveness of our related programs
* Support the vulnerability management program, by using assessment tools (e.g. Veracode, Qualys, Rapid7, Whitehat Security, Burp, ZAP) and by coordinating with internal system owners to complete ongoing vulnerability monitoring and remediation activities.
* Collect evidence of security program activities to satisfy client due diligence requests as well as support internal and external audit activities.

* Five (5) years of experience in a relevant technology domain, including security engineering, software engineering, application vulnerability analysis, or information assurance required.
* Three (3) years of demonstrated experience in identifying and technically qualifying application security vulnerabilities in a full-time capacity in for large-scale web applications, financial services applications, or mobile applications as a vulnerability analyst, DevSecOps team member, or similar role required.
* Experience with AWS, Git, and application vulnerability management platforms required.

* Ability to read and comprehend application source code, such as Typescript, Javascript, C#, Java, and Swift from a source control repository, such as Git
* Ability to identify common application security vulnerabilities in source code, such as command injection, TOCTOU, and inappropriate use of cryptographic functionality
* Ability to read and comprehend technical details contained in vulnerability assessments penetration testing reports and accurately and independently qualify and reproduce reported issues, either though manual, interactive testing or through written “proof of concept” scripting
* Working knowledge of classes of security vulnerabilities, including those covered by the OWASP Top 10 and the Common Weakness Enumeration
* Working knowledge of vulnerability prioritization methods, including through the Common Vulnerability Scoring System
* Specialized knowledge of authentication and authorization frameworks, such as SAML, OIDC, OAuth 2.0, SCIM, JWT, WebAuthn, and OPA
* Specialized knowledge of applied cryptography for software applications, including the appropriate use cases and relative strength of symmetric and asymmetric encryption, general hashing algorithms, and password hashing algorithms
* Familiarity with factors of authentication, including their use and lifecycle management as prescribed by the NIST Digital Identity Guidelines and the FFIEC guidance relevant to digital banking solutions
* Calm and serious attitude, technical aptitude, appropriate sense of urgency, and communication skills to effectively coordinate with internal team members to raise awareness of and track the remediation progress of vulnerabilities
* Must be able to pass required background checks to be accepted as an employee with access to sensitive information
* Must have strong client orientation and demonstrate a professional demeanor that earns the trust and respect of individuals inside and outside Lumin Digital
* Ability to prioritize tasks, exercise sound judgment and confidentiality with sensitive information
* Good written communication and interpersonal skills
* Ability to work remotely while maintaining a high level of productivity and effectiveness with moderate supervision
* Curiosity and a strong drive to fully understand and keep apprised of threat and vulnerability trends

Bachelor’s Degree in Computer Science, Management Information Systems, Information Assurance, Information Security, Cybersecurity, or related field; or equivalent self-study in cybersecurity with demonstrated command of key concepts and technologies and proficiencies in software engineering, secure application development, penetration testing, or other technical security risk management domains required.

* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰

Tags: Android Application security AWS Banking C CI/CD Cloud Compliance Computer Science Cryptography DAST DevSecOps Encryption Hashing iOS Java JavaScript Microservices Monitoring NIST OWASP Pentesting Privacy Qualys Risk management SAML SAST Scripting TypeScript Veracode Vulnerabilities Vulnerability management

Regions: Remote/Anywhere North America
Country: United States
Job stats:  43  5  0

More jobs like this

Explore more InfoSec / Cybersecurity career opportunities

Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.