Application Security Manager

Job Responsibilities:

• Manage, direct and deliver cyber-attack simulations as part of the RED team activity
• Manage, direct and deliver Vulnerability Assessment (VA) and Penetration Testing (PT) and configuration review for network, web, mobile and thick-client applications, APIs, POS etc
• Manage, direct and deliver source-code review using automated and manual approaches, review results to eliminate false positives
• Manage, direct and deliver configuration reviews for OS , DB, Firewall, routers, switches and other security devices/components
• Perform and deliver gap analysis and assessments based on standards, guidelines, notices, circulars (eg., ISO27K1, MAS TRM, HKMA etc)
• Prepare and review detailed reports and ensure timely delivery of status updates and final reports to clients

Provide technical guidance with respect to the development and execution of our key application security service offerings, including:

• conducting assessments of applications (web, cloud, mobile, API) using range of manual and automated source code review techniques;
• performing security architecture reviews and risk assessments for applications in design and production phases;
• identifying potential threats and attacks to applications systems through threat modeling;
• identifying security recommendations and aligning them to appropriate risk ranking systems;
• integrating application security tools and process in pipeline;
• agile penetration testing; evaluating, developing, enhancing and/or running application security programs for our clients;
• conducting the above with a specific focus on DevSecOps.
• Manage client stakeholders, provide project status updates, discuss findings and explain recommendations
• Work with clients to analyze, evaluate, and enhance the effectiveness of their application/product security posture at procedural and technological levels from design to deployment.
• Keep abreast of the latest IT Security news, exploits, hacks

Essential Skills:

• Manage projects, team members and client stakeholders for successful delivery
• Manage project economics
• Thorough and practical knowledge of OWASP, network protocols, data on the wire, and covert channels
• Hands on experience with popular security tools – Nmap, Nessus, Kali, Metasploit, BurpSuite, Netsparker, OWASP CSRF Tester, Fortify/Checkmarx, SonarQube, Synopsys, SQLite browser, Drozer
• Working knowledge of manual testing of web applications
• Understands Software Development Life Cycle and SOAP, REST and GraphQL APIs
• Skills in performing VAPT for Web applications, Mobile applications, APIs, Network infrastructure, Thick client applications
• Good knowledge of modifying and compiling exploit code
• Good understanding and knowledge of codes languages
• Has practical experience in auditing various OS, DB, Network and Security technologies
• Strong understanding Unix/Linux/Mac/Windows, operating systems, including bash and Powershell

Experience in at least three of the following:

• Set up and operate red team infrastructure
• Perform targeted, covert penetration tests with vulnerability identification, exploitation, and post-exploitation activities
• Email, phone, or physical social-engineering assessments
• Developing, extending, or modifying exploits, shellcode or exploit tools
• Reverse engineering malware, data obfuscators, or ciphers
• Strong credentials in wireless, web application, and network security testing
• Familiar with MITRE ATT&CK framework and D3FEND matrix

Educational Requirements & Experience

• Bachelors in Computer Science/IT/Electronics Engineering or equivalent University degree.
• Minimum of 5-7 years of experience in the managing and delivering security tests and compliance review projects.
• Certifications: CREST CRT, CREST CPSA, Offensive Security Certified Professional (OSCP), GIAC Certified Web Application Defender (GWEB)
• Other Certifications: OSWP, BSCP, Certified Red Team Professional