Senior Associate, Information Security Analyst-Job ID 26077 - Full-time

The Application Security team is a multi-functional, highly skilled team tasked with maintaining and improving the state of application security in the enterprise, including n-tier applications, thick clients & web services.

As an Application Security engineer, you will help ensure our software is designed and implemented to a high level of security standards. You will perform risk analysis, security engineering and provide security consulting services to internal customers and participate in a wide range of security issues and discussions focused on building secure applications. You will have the opportunity to work in an innovative and diverse environment. You will be working with application development teams to carry out application security reviews. You will provide expert advice on improving security in the Software Development Life Cycle (SDLC). Youll be working on integrating components such as, business requirements analysis, design reviews, use cases, abuse cases, threat modeling, negative testing and other techniques.

You will conduct risk assessment and provide recommendations for application design; and help design, implement, and maintain application security policy, standards, and procedures. You will also work closely with software architects and software developers and evangelize secure coding practices and enhance our application security posture.

The ideal candidate will have in-depth understanding of security issues & providing solutions for remediating security vulnerabilities such as the OWASP top 10 (e.g. cross-site scripting, CSRF). An excellent understanding of a diverse range of technologies and related security best practices (such as enterprise application architectures, middleware, databases etc.) will be necessary to deliver high-quality results.
As part of the role, this position will leverage state of the art web threat detection tools for anomalous behavior detection and use intelligence data to drive remediation and or enhance the security posture of Discover’s websites.

Given the team’s role in interfacing with many areas of the organization, team members must foster good working relationships with business and IT managers to ensure the organization meets its business objectives.

The candidate should possess good organization skills with the ability to exercise discretion and ingenuity to determine the proper course of action while following established standards.

Qualifications

Bachelor’s degree in computer science, mathematics, engineering or related field and 5+ years information security experience, or Master’s degree in computer science, mathematics, engineering or related field and 2+ years information security experience.
• Development experience or very good understanding of enterprise class systems in Java/J2EE or .NET programming environments. Experience with popular web application languages and platforms (C, C++,Javascript, PHP, Ruby, etc.) is a plus
• Scripting experience (e.g., Perl, Python shell scripting)
• Expert knowledge of common web and mobile application risks and vulnerabilities (e.g., XSS, CSRF, Clickjacking, Business logic flaws, etc.) and their mitigation techniques
• Knowledge of evolving threats and mitigating controls for web and mobile applications
• Working knowledge of securing web services (SOAP & REST)
• Working knowledge Single Sign-On (SSO) for internal and external applications, including enterprise class tools and infrastructure for SSO
• Working knowledge of network and web related protocols, cryptography, including evolving application level encryption or other obfuscation techniques
• Demonstrated experience with threat modeling
• Demonstrated experience documenting assessment findings and presenting results to technical and non-technical management teams
• Experience with source code reviews for security vulnerabilities is a plus
• Experience with password less authentication protocols such as SAML, Oauth, OpenID is a plus
• Experience in credit card, financial and/or banking industry a plus
• Experience or understanding of PAAS and DevOps a plus
• Very strong analysis, project management, verbal and written communication skills
• Must be able to manage multiple projects simultaneously
• Must be highly motivated and able to work effectively under minimal supervision
• Must be team-oriented, placing priority on the successful completion of team goals
• Knowledge of Payment Card Industry Data Security Standard (PCI DSS and/or PA DSS), ISO17799 or 27001, and NIST
• CISSP, CISA, GIAC, CEH or other relevant information security certification
. We are an Equal Opportunity Employer and do not discriminate against applicants due to race, ethnicity, gender, veteran status, or on the basis of disability or any other federal, state or local protected class.