General Responsibilities:
Emplaced in public agencies, you will collaborate with stakeholders and will be responsible for:
- Establish Standards: Define and maintain the Ministry-wide framework for security testing (Vulnerability Assessment and Penetration Testing - VAPT).
- SOP Development: Create and roll out Standard Operating Procedures (SOPs) to guide Agency project teams on engaging external security vendors and managing internal testing cycles.
- Quality Assurance: Develop Quality Rubrics to help agencies evaluate the performance of pen-testers. You will conduct periodic sampling of testing reports and project involvements to ensure quality and rigour across the Ministry Family.
- Support security tools such as CSPM, VMS, etc and follow up as part of remediation.
- Assisting in the development of agency-specific security requirements, reviewing and providing consultancy on the project-specific application and system security architecture to ensure that key security requirements are defined and designed into the systems, implemented in accordance to the security design, and in compliance with prevailing ICT security policies, standards, and guidelines.
- Secure Coding Standards: Establish Ministry-wide secure coding guidelines (e.g., based on OWASP, SANS) to ensure developers build security into the application layer from day one.
- Source Code Analysis: Lead the strategy for Static Application Security Testing (SAST) and Software Composition Analysis (SCA). You will evaluate tools that automate the detection of vulnerabilities in source code and third-party libraries.
- Participating in scoping and facilitating of security assessments, reviews and audits, as well as reviewing their results, ensuring issues identified are adequately resolved and residual risks appropriately managed to ensure security assurance prior to commissioning.
- Staying updated on current and emerging security technologies for cloud platforms like AW, as well as tracking the evolving threat landscape, including threat actors and attack methodologies to support agencies gap analysis and threat management.
- Partnering with stakeholders, project teams, and outsourced vendors to ensure security objectives are achieved.
[Qualifications, Skills and Mindset]
General Requirements:
- Degree in Computer Science, Computer or Electronics Engineering or Information Technology or related disciplines.
- Minimum 3 years of IT security experience in IT security operations, including management, deployment, and maintenance of security for ICT systems.
- Domain Expertise: Proven track record in conducting penetration tests for Web Applications, IT Systems (cloud environments), and complex Network architectures.
- Ability to effectively communicate cybersecurity risks, mitigation measures, and residual risks to stakeholders.
- Knowledge of cloud and on-premises security technologies, such as SIEM, Log Management and Analysis Tools, firewall, cryptography, vulnerability scanning tools, endpoint security, identity and access management, as well as frameworks like the MITRE ATT&CK framework, and security domains including data security, network security, cloud security, and application security.
- Source Code Analysis Tools: Proficiency with enterprise-grade SAST, DAST, SCA and VAPT tools (e.g., Checkmarx, Fortify, SonarQube, Snyk, Burp Suite).
- Familiarity with application security tools for testing, such as vulnerability assessment, penetration testing (VA/PT), source code reviews, and static/dynamic application security tests, as well as concepts of waterfall and agile application development methodologies, and DevSecOps concepts.
- Day to day security operations support as L2.
- Team player with good interpersonal skills.
- Possess good written, verbal, and presentation skills.
- Possess any of OSCP, SSCP, GDSA, Cloud Security, or related certifications would be advantageous.
