Job Description

Company Details

Berkley Technology Services (BTS) is a dynamic company committed to providing world class IT services. We offer a unique culture, enabling our team members to be on the cutting edge of technology while delivering high quality solutions. Our functions include working with various third parties to develop, integrate, and support insurance systems of WRBC's operating units. BTS strives to provide these functions in a holistic manner including helpdesk support, system connectivity, and operational support. Additional responsibilities include coordinating communications regarding best practices in the use of our supported systems and researching new technology. BTS is constantly growing and expanding to meet the changing demands of one of the most successful insurance organizations in the world.

Responsibilities

The information security analyst will work as an integral component of the companys Application Security team. The incumbent will focus on application penetration tests, automated ethical hacking, and static source code analysis within the SDLC. The candidate will be accountable for establishing consensus with stakeholders to reduce cyber risks while minimizing broader operational impact.

* Drive development of a holistic application security program
* Conduct manual ethical hack assessments of high risk web applications
* Rate the severity of defects and publish comprehensive reports detailing associated risks and mitigations
* Support broader vulnerability management processes to measure exploitability of vulnerabilities more precisely
* Reduce the cost of vulnerability remediation by identifying defects early within development lifecycle
* Good understanding of security processes, procedures, & tools.
* Capable of performing security reviews of general purpose operating systems and network devices.
* Ability to work in teams to improve security posture
* Clearly organize work load to be able to project manage remediation activities

Qualifications

* 10+ years of Vulnerability Management, Application Security, Penetration Testing and Red Teaming experience
* Bachelors Degree with 3-5 years experience in application security
* Proven understanding of OWASP top 10 vulnerabilities
* Ability to document vulnerabilities found within home brew applications.
* Setup demonstration meetings with developers to understand the flow of applications
* Setup remediation meetings and tracking before applications go into production
* Integrate developers with the SDLC process utilizing dynamic and static code review processes.
* Strong coding background with the ability to write scripts when needed.
* Granular knowledge of HTTP request building/fuzzing and the ability to analyze in a local proxy.
* Strong understanding of XML, SOAP, and AJAX
* Good grasp on popular CMS frameworks and best practices.
* Proficiency in Linux (Kali) and the Metasploit framework and with common Kali standard tools such as nikto, dirbuster, sqlmap, nmap, etc.
* Knowledge of defect tracking tools such as Jira
* Security+, CISA, GSEC or similar certification considered however, not require
* Key Accountabilities
* Execute vulnerability scans
* Assist Stakeholders with the interpretation of their vulnerability scan results
* Involvement in penetration testing and red-team exercises if applicable
* Analyze penetration testing results
* Work with metrics to help analyze and prioritize vulnerabilities for remediation
* Track remediation work consistently in order to evidence improvements to program and closure of vulnerabilities
* Work on process and procedure to create repeatable and consistent processes and documentation around management of vulnerabilities
* Assist in operational projects and tasks
* Participate in the ongoing improvement of the scanning and vulnerability remediation processes
* Providing remediation support on any potential findings
* Work with metrics to help analyze and prioritize vulnerabilities for remediation
* Track remediation work consistently in order to evidence improvements to program and closure of vulnerabilities
* Work on process and procedure to create repeatable and consistent processes and documentation around management of vulnerabilities
* Ability to document vulnerabilities found within home brew applications.
* Setup demonstration meetings with developers to understand the flow of applications
* Setup remediation meetings and tracking before applications go into production
* Integrate developers with the SDLC process utilizing dynamic and static code review processes.
* Strong coding background with the ability to write scripts when needed.
* Granular knowledge of HTTP request building/fuzzing and the ability to analyze in a local proxy.
* Strong understanding of XML, SOAP, and AJAX
* Good grasp on popular CMS frameworks and best practices.
* Proficiency in Linux (Kali) and the Metasploit framework and with common Kali standard tools such as nikto, dirbuster, sqlmap, nmap, etc.
* Knowledge of defect tracking tools such as Jira
* Security+, CISA, GSEC or similar certification considered however, not require
* Travel expected - minimal
* Strong written and oral communication skills in order to define business and technical parameters and lead team to meet business requirements.
* Excellent organizational and project management skills.
* Considers the business implications of the application of technology to the current business environment.
* Solid working knowledge of standard features and functions of multiple applications/modules to field, analyze and resolve customer issues/problems.
* Identifies problems, researches alternatives, prepares presentations, drives solutions, tests to confirm, gains consensus, and implements solutions for multiple applications within multiple functions
* Proven ability to work well in a deadline-oriented environment
* Hands-on mentality, very good analytical capabilities with diligent work attitude
* In-depth knowledge and experience with triage and investigation of vulnerability data
* Excellent analytical skills
* Bachelors degree in computer science or related field
* Strong knowledge of Unix, LINUX and Windows operating environments, Oracle database and SQL Server
* Proven stakeholder management at technical and executive levels is a must
* Proven ability to be ability to execute and deliver in a complex environment with grace
* Ability to work with regulatory, legal and security best practices including General Data Privacy Regulation (GDPR), NYS DFS 23 NYCRR Part 500, Sarbanes-Oxley (SOX), ISO 27001/27002
* Knowledge of program and project management experience a strong benefit
* Proven ability to prioritize work load, work effectively on concurrent tasks, and be able to meet project deadlines
* Insurance and/or financial experience is desired, preferably within the commercial property and casualty lines
* Strong computer skills, including Microsoft Word and Excel.
* Strong technical and analytic aptitude
* Ability and willingness to learn quickly
* Excellent organizational and planning skills

Soft skills:

* Highly organized and detail oriented able to function under pressure, trouble shoot, emplace structure where necessary and prioritize between competing activities
* Approachable and outgoing with excellent verbal and written communication skills
* Takes ownership and maintains accountability
* Proven self-starter with energy, passion and drive
* This role will suit a candidate with experience working for smaller organizations where they have been highly visible to the business and where initiative and pro-activity are key
* Emotional intelligence and ability to get on with people and to get the best from them