Employment Spot

Job Description

Ultimate Software is seeking an Application Security Analyst that will serve as a key security team member, responsible for the assessment of internally developed and 3rd party purchased applications. The role will work with a variety of departments and application/system owners to assess and remediate identified application vulnerabilities in source code and/or system configurations.

The qualified candidate possesses hands on application vulnerability assessment experience and a thorough understanding of application level exploits. Strong Microsoft environment and system configuration knowledge (OS, SQL, IIS, .asp, .net, etc.) and security tools experience is required.

The Application Security Analyst will also work closely with the infrastructure team to identify network security issues as well as participate in research and development of security technologies that will assess/monitor/reduce vulnerabilities for the enterprise.

This position demands strong communication and organizational skills, problem-solving expertise and multi-tasking abilities.

Our environment is challenging and fast-paced. Among our many company and product awards, we recently earned "Best IT Department" in 2007 from the prestigious, national American Business Awards organization.

Responsibiltiies

• Review internally developed and 3rd party applications to determine risk to the environment, appropriate security controls are implemented and conform to security policies and industry best practices.
• Conduct information security threat analyses on new and changed applications to be implemented.
• Provide guidance on the integration of information security within the application development lifecycle.
• Run a variety of commercial and/or open source vulnerability assessment, penetration testing or forensics tools identifying vulnerabilities and the appropriate solutions to eliminate or minimize their potential effects.
• Leads the assessment and acquisition of application security tools and technologies.
• Assists with security incident responses, investigations, running forensics tools, and event documentation/reporting as needed. Accountable to provide sound problem determination and resolution.
• Serve as an internal information security advisor and subject matter expert to the organization and on various projects.
• Stays current in the latest information security and risk management knowledge, including new and emerging threats and vulnerabilities.
• Assist internal resources and external auditors during penetration tests, ISO 27001, SAS70 and Sarbanes-Oxley audits as needed.
• Manages and assist in security governance projects to improve internal operations.
•  Review new systems designs and major modifications for security implications prior to implementation.
• Support 24x7x356 operations environment with on-call duty to serve as a resource for incident response activities as needed.
• Document and present application/system risk assessment findings to management.
• Coordinate security remediation activities with various departments.
• Participate in departmental meetings.
• Maintain and update security policies and procedures.
• Oversee the remediation and tracking of security audit/assessment exceptions.

Job Requirements

• Solid understanding of application vulnerabilities and countermeasures (able to provide/recommend remediation approach, not just provide vulnerability reporting information)
• Strong experience and understanding of secure coding principles.
• Strong knowledge of the security aspects of Windows Operating Systems, Active Directory access rights, SQL access, IIS Web Server configuration, .asp and .net.
• Knowledge of MS SQL database architecture and SQL query language.
• Hands-on experience with application vulnerability scanning tools.
• Proficiency in running application and network scanning tools, such as Nessus, nmap, NeXpose, AppScan, etc.
• Skilled in recognizing various attack signatures, such as SQL injections, cross-site scripting attacks, etc.
• Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions.
• Knowledge of management information systems terminology, concepts, and practices.
•  Experience in researching security topics and technologies.
• Strong knowledge of OWASP.
• Strong TCP/IP experience.
• Proficient in MS Word, Excel, PowerPoint, Access and Visio.
• Advanced written and verbal skills.
• Detail-oriented.
• Ability to multi-task - comfortable working multiple projects simultaneously.
• Ability to work independently under general supervision with considerable latitude for initiative and independent judgment.
• Effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations.
• Ability to establish and maintain harmonious working relationships with co-workers, staff and external contactors/auditors, and to work effectively in a professional team environment.

Preferred Qualifications/Skills

• 3-5 years of applicable application security development/assessment experience.
• Experience with AppScan and other application, database and network vulnerability assessment tools.
• Experience with Web Application Firewalls, security device log analysis, Symantec Products, is a plus.
• Security and/or Microsoft professional credentials/certifications.

Education/Certification/License

• Preferred Bachelors or Masters in Information Systems or Information Security
• CEH (Certified Ethical Hacker)
• CISSP or equivalent professional security credentials
• MCSE or other applicable Microsoft credentials

Travel Requirement:  Limited travel upon request