Sr Security Consultant Product Security Full-time Job
Dec 3rd, 2023 at 02:06 Information & Cyber Security Toronto 145 views Reference: 18Job Details
The role will support the manager of DevSecOps within TELUS Health Chief Security Office in leading the engineering of security at scale within the secure software development cycle, representing CSO.
This individual contributor role will help assess product’s security maturity through consultation, select and implement security controls within their pipelines (WAF, SAST, DAST, IAST, SCA), act as a SME for addressing security vulnerability validation and remediating those findings. This individual will act as a product security evangelist and contribute greatly to the development and implementation of the security champion program. The individual will also be involved in promoting security awareness, disaster recovery planning, testing and corporate security policy maintenance and enforcement as well as threat and risk assessments.
.
Working as a partner to the product teams and TELUS Health Cloud program, this role will drive the adoption of secure Cloud and application security within the pipelines and processes of the product.
Provide training and awareness sessions to application development teams, highlighting the benefits of web application layer protection services, and demonstrating exploitation of confirmed security vulnerabilities
Perform comprehensive Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Software Composition Analysis (SCA) to identify vulnerabilities
Review security scan results and work closely with the development team to prioritize security vulnerabilities using a risk-based approach
Identify vulnerabilities and weaknesses through web and mobile application security assessments, code reviews, threat modeling, vulnerability scanning, and manual application penetration testing
Provide actionable recommendations and guidance to improve the security posture of applications and their supporting technology infrastructure
Collaborate with stakeholders to develop and enhance security policies, procedures, and risk management strategies
Lead key security initiatives, manage projects, and work collaboratively with cross-functional teams
Work across product teams to integrate security into the SDLC / CICD pipeline through consideration of security at each step. Extension of security into the design, developer environment (IDE), software composition analysis, static assessment, and dynamic assessment as part of the local CICD pipeline
Drive consistency of control and solution across the tooling applied within each product team. Whilst a single solution will not always be desirable, seek out consolidation where possible and ensure all solutions have consistent levels of security
Identify, justify and promote the use of shared security services or patterns (e.g. Web Application Firewalls) that can deliver consistent security protection without impeding local product agility or effectiveness
Ensure product development teams have the right level of security expertise to operate their aspects of the security operating model
Work with the SecOps team to define response playbooks for application security incidents, and seek out automation for common events to ensure sustainable T1/T2 operation
Work with the SecOps team to define the runbooks for application security tooling operated by the CSO team, ensuring sustainable security operation across TH’s portfolio of applications
Responsibilities
Provides leadership in technology development and supports activities including business requirements definition, design, quality assurance, implementation and technical support
Manages delivery of assigned tasks using project management discipline
Works independently with minimal supervision
Participates in secure SDLC and technology integration projects using security technology tools and techniques
Sets high standards for own work and ensure high quality outcomes are achieved
Prepares project estimates and schedules of project activities as required
Sets realistic and achievable expectations for deliverables
Ensures effective work habits including punctuality, responsiveness and accessibility to others
Coaches and mentors more junior staff members within the IT Group as required
Provides timely feedback to team members on matters related to technology development and team interaction
Works effectively as a member of the TELUS Health CSO
Promotes teamwork and collegiality in the work environment
Observes the corporate values of TELUS Health
Promotes TELUS Health as the service provider of choice in the industry
Attends internal training sessions to build knowledge of industry topics and trends
Assists incident response and remediation, special projects and other tasks, as required
Understanding of regional privacy requirements (GDPR, Australians, Chinese, US, Canadian Privacy Laws)
Managing an enterprise SIEM solution
Able to manage a vulnerability assessment platform (web application and infrastructure) and supplement with penetration testing.
Writing scripts in least one scripting language (Python, Powershell, Linux command line etc) for discovery and auditing purposes
Qualifications
What you bring
University degree or equivalent industry experience
Strong communication, presentation, and relationship skills, especially the ability to articulate technical topics
Knowledge of security and industry standards (e.g., ISO, NIST, ITIL, etc)
Knowledge and practical experience any of the following OWASP top 10, OWASP Web application Security Testing Guide (WSTG), OWASP (Mobile) Application Security Verification Standard (MASVS/ASVS), BSIMM, and OpenSAMM
CISSP, CCSP, CRISC or similar Cloud certification are preferred.
Practical Cloud security experience with appropriate certification spanning GCP and either AWS or Azure
Experience working on enterprise Cloud services deployments (SaaS, PaaS, IaaS) and understand security challenges involved in Cloud migration, adoption and operation
Experience deploying and migrating to/from private Cloud environments
Experience with virtual machine management, container orchestration, API management and secure use of serverless technologies
Knowledge of application security, software development with security concepts and integration into the development pipelines.
Experience across SCA, SAST, DAST, and IAST
Experience working with proxy intercept tools such as Burp Suite Pro or OWASP ZAP
Integration experience across pipelines and orchestration tools such as Jenkins, source repositories (e.g. GitHub, bitBucket etc), Integrated Development Environments, and testing tools
Experienced with agile delivery teams and environment
Experienced working in a DevOps / SRE operation
Experience with application security capabilities including Web Application Firewalls, DDoS mitigation, Bot prevention, and associated threat management controls
Familiarity with pipelines, automation and scripting
Performed threat modeling and design reviews assessing security implications and requirements introducing new technologies (STRIDE)
Performed security design/architecture reviews, code reviews, and penetration tests of large applications, systems and/or networks
Nice to haves
Professional security certifications: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and others
Industry-recognized certifications would be an asset. (i.e., OSCP, OSWE, ECDE, Burpsuite Certified Practitioner, GWAPT, eWPT, GMOB, eMAPT etc.)
Experience within a regulated business environment
An insatiable appetite for modern and emerging technologies and tools
#LI-REMOTE
Midpoint Base Salary: $120,000
Performance Bonus or Sales Incentive Plan: 15%
Actual total compensation can be above or below the listed pay, based on knowledge, skills, performance and experience.
Company Description
Were a people-focused, customer-first, purpose-driven team who works together every day to innovate and do good. We improve lives through our technology solutions and foster a culture of innovation that empowers team members to solve complex problems and create remarkable human outcomes in a digital world.
Youll find our engaging, high-performance culture personally fulfilling, professionally challenging, and financially rewarding. Were committed to diversity and equitable access to employment opportunities based on ability. Your unique contributions and talents will be valued and respected here. When you join our team, youre helping us make the future friendly.