InfoSec Engineer / Vulnerability Management (Seminole, Florida)
LaBine & Associates
- Fort Lauderdale, FL
The Information Security Engineer is a team player who defines, reviews, and enforces information security policies, standards and guidelines to deliver security solutions for all ongoing business activities.
On top of these duties, this role will manage and execute the company wide Vulnerability Management program to improve the company posture against external, or internal, threats. This will include scheduled scans as well as ad-hoc penetration testing against existing or new environments, application, etc. The individual needs to embrace the teamwork spirit to further the information security team to excel in its organizational objectives.
The Security Engineer role reports to the Information Security Manager.
Primary Duties and Responsibilities | The primary duties and responsibilities of the Security Engineer follow:
- Manage and execute the company wide Vulnerability Management program to improve the company posture against external, or internal, threats.
- Coordinate, schedule and perform routine internal application, network, system and infrastructure scanning. Serving as primary contact for scanning-related issues and manages relationship with partners.
- Develops and presents finding and remediation reports to audiences including team members from all department areas and levels of the company.
- Conduct security penetration testing and performs ongoing vulnerability assessment and penetration testing of internal, perimeter, external and wireless networks as well as web applications and APIs across a variety of technology stacks.
- Identify weaknesses and vulnerabilities that affect the confidentiality, integrity and availability of corporate protected, sensitive and confidential company information and data.
- Work closely with development teams to ensure security requirements are implemented within various stages of the system development lifecycle process; work closely with development teams to pen test new features within internally developed applications.
- Participate in security incident response plan, support detection and classification, define containment, remediation and recovery strategies with the team.
- Assess risk arising from third-parties, vendors and partners in our ecosystem, as well as validate, address and document responses to security findings from third-party penetration testing engagements. Design controls to mitigate risks identified.
- Continuously improves internal security controls to protect systems and data from unauthorized access, modification, and destruction.
- Perform other security team relevant duties and responsibilities as assigned
Qualifications | Experience / Education / Certifications
- Bachelor’s degree preferred in Computer Sciences, Information Technology, Information Security or other related field.
- Five (5) years of related work experience in technology, infrastructure, engineering, architecture and security.
- CE|H Certification or comparable penetration testing certification a plus.
- At least one industry standard certification such as Security+, GSEC, GCIH, Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) or other security vendor certification.
- Knowledge of vulnerability management and penetration testing methodology required.
- Knowledge of web application attacks and defense strategies including those found in the OWASP Top 10 and Mobile Top 10.
- Familiar with application security tools such as Rapid7, Core Impact, BurpSuite Pro, OWASP ZAP, Nmap, Nessus, Metasploit, Kali Linux, etc.
- Ability to think outside the box and emulate adversarial approaches
- Willing to guide and mentor fellow team members
- Team player able to work effectively at all levels of an organization with the ability to influence others to move toward consensus.
- Clear ability to build strong relationships and establish trust with stakeholders at all levels.
- Excellent verbal and written communications skills - effective communicator who engages well with technical and non-technical audiences alike
- Ability to solve complex problems in a timely manner by working with multiple stakeholders.
- Strong leadership skills with demonstrated ability to prioritize and execute in a methodical and disciplined manner.
- Hands-on expertise operating in an AWS or Azure environment a plus, including architecture and security capabilities in the cloud.
- Knowledge of web application security, browser security models, and application security vulnerabilities such as the OWASP Top Ten.
- Deep understanding of network attacks, DDoS, Phishing, email protocols/security/spam, encryption, authentication, logging and log analysis, IP and device reputation, as well as security rules and policies.
- Knowledge of Security by Design development practices.
- Multiple language abilities preferred – fluency in English (written and spoken) required
- Flexibility to travel as required up to 15% overnight travel.
Friday, March 22, 2019