The Testing & Assurance Analyst is an enabler for the wider AppSec team that aims to ensure that ensure the adoption of best of breed Application Security practices and that security vulnerabilities are detected and acted upon as early as possible in the project lifecycle. Key stakeholders of this role include Delivery Managers, project managers, heads of delivery, platform and central functions. In this role you will work closely with the other AppSec areas (Architecture and Engineering), wider Security team and project teams throughout the organisation to ensure that security is thought about and delivered early in the project lifecycle and that application security policies, best practices and requirements are complied with. You will often be supporting multiple projects simultaneously and will have to ensure timely delivery of security inputs. You will also help design standards and controls necessary to ensure the security of information systems assets, including prevention of intentional & inadvertent access, modification, disclosure, or destruction.
The role also involves interacting with development teams to ensure that production web and mobile applications are implemented with security in mind. Typical engagements involve conducting architectural / design reviews, code reviews, and penetration tests, tracking new requirements and recommending improvements. The Application Security (AppSec) team has presence in 4 locations (Porto, Cluj, London and Dublin) and is responsible for the security of all Paddy Power Betfair applications developed internally or externally.
- Understand the architecture of production systems including identifying the security controls in place and how they are used;
- Understand and provide advice on using Fortify Source Code Analysis and Checkmarx to enhance the code review process, integrate with application build scripts, write custom rules and train developers to use;
- Contribution to automating certain security tasks within the Continuous Delivery (CD) pipeline;
- Work as part of teams building software providing security guidance;
- Use and promote software, systems and operational security design methodologies;
- Research and evaluate emerging technologies to detect, mitigate, triage, and remediate software security defects across the enterprise.
- Support for all software security services (threat analysis, design review, assessments) and improvements to related services (risk advisory, incidents/investigations);
- Develop plans for security technologies that integrate effectively with other aspects of the technical infrastructure;
Non-technical key responsibilities:
- Liaise with Security Business Partners in the development phase to ensure security input is given and that security reviews are included in project schedule;
- Work with application teams across PPB to encourage a security mindset throughout product development processes from development to testing and implementation;
- Full service engagement and provide ideas, options, solutions and advice to projects with his/her area of responsibility.
- Champion application security throughout the software development lifecycle;
- Build strong business relationships with partners inside and outside PPB to understand mutual goals, requirements, options and solutions to complex or intangible software security issues;
- Constantly contribute to the Security Champions initiative, proving training & awareness to relevant employees;
Skills & Experience:
- 2+ years working in the software development industry
- Experience of managing and performing security assessments (design reviews, code reviews & pen test);
- Good understanding of threats, vulnerabilities and risks, namely OWASP;
- Ability to help people to clearly and accurately articulate complex threats and risks, controls and mitigations;
- Knowledge of various security tools e.g. Burp, Acunetix, Layer 7 firewalls, vulnerability scanners;
- Ability to find solutions to seemingly intractable security problems;
- Able to take a holistic view of technology across the business;
- Strategic thinker with a proven ability to innovate;
- Good communication and documentation skills – ability to communicate with technical and non-technical audiences at all levels of the organization;
- Flexible attitude and ability to meet deadlines under pressure.