Threat and Vulnerability Management – Application Scanner SME

04 Nov 2016
02 Dec 2016
Contract Type
Full Time
The ABB Global Business Services - Information Systems organization (GBS IS) is a unique unit providing software development and infrastructure services which support the business processes of ABB across the world. Everyday a team of talented developers, infrastructure experts, project managers, service managers and other specialists works on advanced IT solutions to improve the productivity, efficiency and effectiveness of ABB business operations. ABB is currently making a very significant investment in transforming and further strengthening capabilities in the area of Information Security. We are urgently recruiting talented and passionate individuals with experience of Information Risk Management, Security Operations Centers (SOC), and Security Intelligence. Joining the ABB IS Infosec Organization, you will have the opportunity to work in a fast-paced, international environment, solve complex problems and grow together with the rapidly developing business. We are currently looking for candidates for the position of Threat and Vulnerability Management - Application Scanner SME. This role has the responsibility to establish, implement and maintain scanning and securing all ABB applications. He or she will ensure services are delivered in accordance with agreed business requirements and provide the Service Manager with an overview of ABB's risk exposure from internal and external applications. He or she will interacts with other security departments with regards to assessing the risk deriving from the findings.

• Work with Service Manager to establish and maintain the vision & process framework for managing AS service.
• Provide business and application owners with clear information about current situation regarding the application security, in an automated and rapid way;
• Validate all findings in scope from security scans;
• Create reports for application owners utilizing ABB AS reporting tools;
• Participate in discussions with application owners or designated technical contacts to analyze and explain results of the assessments as well as determine remediation steps/time needed;
• Contribute to the ongoing enhancement of the company's vulnerability assessment capabilities;
• Work with analysts to collect information from scans run by them;
• Report the security status in terms of the services to the SM so that he/she can report to relevant bodies, especially InfoSec Management, InfoSec Strategy, Governance and Policies, Business Engagement, and Risk Assessors;
• Reviews exception and manages escalation of unaccepted deviations. Works with service providers and InfoSec Risk Management in cases of different assessments of risk;
• On-boarding of new applications, systems, service providers etc. Integration of new service providers into the Security Configuration Management processes and activities.

This role ensures that all Applications in scope are scanned, vulnerabilities validated, reported and remediated in timely manner. Currently only Crown Jewel Applications are covered but also should be able to manage ad hoc scans requested by application owners.
In-depth experience performing web application vulnerability assessment and penetration testing services with application vulnerability scanning tools (Burp Pro, Acunetix, TrustWave App Scan, open source web app tools, etc.).

• Bachelor's Degree or equivalent level with IT focus or equivalent practical experience;
• Requires 4 years of experience in Information Security;
• Requires 1-3 years of experience with applications scanning or penetration testing;
• Ability to work with a team to work together towards a common goal and to achieve co-operation within the team;
• In-depth experience performing web application vulnerability assessment and penetration testing services;
• In-depth experience with web application vulnerability scanning tools (Burp Pro, Acunetix, TrustWave App Scan, open source web app tools, etc);
• Industry certifications preferred (e.g. GPEN, GWAPT, OSCP, OSWE, eWPTX, etc.);
• Good understanding of web application vulnerabilities including but not limited to consequences and remediation needed;
• A clear understanding of the fundamentals of web applications and their architecture and a thorough comprehension of the HTTP/HTTPS protocols;
• Advanced comprehension of the methods and components used during a web app penetration tests;
• Advanced comprehension of session tracking and SSL/TLS use in modern web communications;
• Good communication skills to interact with application owners;
• Excellent English language skills (spoken and written);
• Knowledge of security auditing and vulnerability assessment techniques & methodologies.