Senior IT Security Analyst

Background The Senior IT Security Analyst works within the Product Security team to improve the security maturity of GfK large web application portfolio. The role involves close collaboration with technical engineering teams and product owners to ensure application security requirements and security capabilities are implemented throughout the software development lifecycle, enabling a secure by design culture within GfK Key Responsibilities

• Work with engineering squads (Developers, SREs & QAs) to ensure that projects are secure on delivery
• Provide engineering teams with guidance in security web applications, APIs & Cloud Native Services

• Support engineering teams with security remediations, helping them meet agreed KPIs & SLAs
• Conduct application threat modelling supporting definition of security requirements & controls
• Integrate security tools & capabilities into product teams' CI / CD pipelines as part of SDLC
• Build/maintain/support security testing tools
• Provide application security coaching & training of junior security peers and engineering colleagues

• Coordinate and perform technical application security assessments & reviews
• Explain risk and criticality of identified vulnerabilities to business owners/technical teams and advise on remediation activities
• Contribute to defining & maintaining application security framework & associated standards
• Coordinate third-party penetration tests of GfK products
• Use of dynamic & static security testing tools to assess GfK product artefacts, such as source code, third-party libraries & containerized environments

• Support SOC during security incidents involving Cloud environments and/or web services
• Take a lead role in GfK's Application Security Community of Practice (CoP) Skills & Experience Required General Skills:

• Be able to build good working relationships with both technical and business stakeholders, gaining their respect and trust based on your knowledge and professionalism
• Have the ability and desire to quickly learn new technologies
• Excellent communication skills and ability to work with global counterparts
• Promote Secure by Design culture, leading by example to change existing systems and practices for the better
• Good troubleshooting skills

• Forward looking approach to addressing existing & upcoming security challenges
• Able to review complex technical designs Technical Skills:

• Strong knowledge of OWASP
• A good understanding of securing public cloud technologies (AWS & Azure)

• Ability to work with APIs and plugins to integrate security tools into established CI/CD pipelines
• Experience integrating DAST, SAST, IAST & SCA tools into the SDLC
• DevOps Automation using Jenkins, Puppet, Ansible, GitLab etc.
• Experience with securing container technologies including Docker and Kubernetes
• Hands-on experience of infrastructure as code

• Experience with secrets management solutions
• Understanding of application-level penetration testing & ethical hacking
• Understanding of end-to-end security within the software development lifecycle
• Working knowledge of application security with respect to web and enterprise application development
• Full understanding of web stack, web security and common vulnerabilities (e.g. SQLi, XSS etc.)

• Development/coding skills to facilitate code review, tool development & security remediations Experience:

• Experience working with Development, SRE & Engineering teams in a dynamic environment to promote/implement the Secure by Design practices throughout GfK products
• Experience with web application penetration testing & ethical hacking
• Prior DevOps/Development/QA experience beneficial

• Experience working in an Agile/Sprint based delivery environment (using Jira/Confluence or other bug tracking tools) would be an advantage in this role