Senior Attack Surface Reduction Analyst

Job Description

Role       : Senior Attack Surface Reduction Analyst
Location : Abu Dhabi

Role Purpose:

Reporting to the Head of Cyber Security Defense Operations, the Senior Attack Surface Reduction Analyst assesses the current exposure of the organization’s assets against security vulnerabilities and gaps which can be exploited by potential threat actors. The employee will work in close coordination other members of the information security team and other relevant departments across the organization to ensure proper and timely closure of all identified security issues. The Role will require exercising leadership when coordinating with internal stakeholders, Senior management and external vendors.

Key Accountabilities of the role

• Reducing the attack surface of the organization by conducting periodic or on-demand security assessment activities
• Regularly monitoring the external attack surface of the organization and taking necessary action to close identified gaps
• Performing security assessment of Web Applications, Mobile Applications, APIs, Infrastructure components, etc. as and when required.
• Providing cost effective security solutions
• Executing VA of organizations assets as per approved annual plan
• Assigning the remediation action for all identified security issues to the action owner in a timely manner and regularly following up till closure of the issue
• Escalating all pending issues and notifying all non-compliance to existing security policies, process and standards in a timely manner to security leadership team
• Regularly monitoring multiple vulnerability databases and sending security advisories for vulnerabilities to relevant department
• Coordinating with external PT vendors and application SPOCs for multiple projects and ensuring closure of all security issues prior to GoLive
• Ensuring compliance to all regulatory requirements like PCI, Swift, UAE Central Bank, etc.
• Staying up to date with all recently identified
• vulnerabilities, exploits, attack techniques and methodologies
  

Specialist Skills / Technical Knowledge Required for this role:

• Proficient in Web, Mobile and API security testing
• Proficient in secure code review
• Excellent Knowledge of using VA tools from multiple vendors
• Knowledge of security technologies, processes, and systems/applications
• Knowledge of DevSecOPs and CI/CD pipeline
• Knowledge of assessing the security of Microservices and Container applications
• Familiarity with banking processes and modus operandi
• Strong Knowledge of OWASP Top 10, ISO27001, NESA, PCI DSS, SWIFT and other information security standards and regulations
• Strong knowledge of fundamental security and network concepts (Operating systems, intrusion/detection, TCP/IP, ports…)
• Bachelor’s degree in Computer Science or IT, or any related technical discipline
• Professional certifications such as OSCP, OSWE, OSEE, GPEN, CISSP, CISM, AZ500, etc.
• Knowledge of automation using scripting languages like perl, python, ruby, unix shell scripting, etc.
• Cloud knowledge (Microsoft Azure and M365 is preferable)

Previous Experience:

• More than 6+ years of relevant experience in Web Application, Mobile Application and API security testing
• More than 6+ years of experience in using VA tools like Qualys, Nessus, Nexpose, etc.
• More than 6+ years of experience working for big banks or financial institutions
• More than 4+ years of experience in secure code review of .NET, Java, PHP and other popular programming languages
• Experience in Application Threat Modeling and secure design review
• Experience Leading and managing Vulnerability and PenTest Programs across different organizations
• Experience in presenting Vulnerability and PT dashboard to Senior management and relevant committees.