Job Location US-DC
Job ID 10271
Job Location United States
Category Information Technology/Software
The American Institutes for Research (AIR) is one of the world’s largest behavioral and social science research and evaluation organizations. Within AIR, AIR Assessment focuses on providing clients with customized assessments that not only measure student achievement against state standards, but also provide meaningful score reports that can help students, parents, and educators address any areas of student weakness.
As a result of our continued growth, we are seeking a Security Architect to join the software engineering and product development team of AIR Assessment.
Some of our ground-breaking work in AIR Assessment includes:
– advanced computer-adaptive algorithms (only one that’s peer-approved in the country)
– mobile support for the user interfaces
– learning management systems with social media features
– user interfaces that are universally accessible to people with or without disabilities
– innovative, machine-scorable items
– Develop and maintain system requirements, design specifications, installation and deployment instructions, and other system-related information to address information security engineering/architecture requirements.
– Work with software architects and developers to understand the AIR Assessment application deeply, to then define logging and auditing standards.
– Participate in and lead projects for security requirements, network design reviews, and in house security testing of our product suite.
– Perform the day to day monitoring of security tools such as vulnerability scanners and act as an escalation point for notifications sent by hosting providers or internal teams regarding malware, vulnerabilities, indicators of compromise and other security related incident indicators.
– Perform manual and automated testing of new software and infrastructure used by AIR AST before they are deployed to production.
– Ensure the proper implementation of network controls with hosting provider(s), such as firewalls, IDS/IPS, DNS monitoring, WAF and DDoS protection.
– Implement processes and tools to ensure that all exchanges of information with third parties and clients use secured paths.
– Remediate issues discovered through penetration testing, integrating these results to the vulnerability management process.
– Create both short and long-term enterprise network security technology roadmaps to address organizational strategic requirement.
– Ensure operational and incident trends in cyber security are considered in developing security architecture requirements and recommendations.
– Maintain high level of proficiency of hands-on experience with open source and commercial vulnerability assessment and penetration testing tools such as HP WebInspect/IBM AppScan/, Tenable Nessus/Rapid 7 NeXpose/Cenzic Hailstorm, Burp Suite, OWASP tools, Nmap, Wireshark, Fiddler, Firebug, Metasploit/Core Impact, sqlmap, ettercap, Caine and Able, BeEF, DirBuster, as well as tailor-made penetration testing distributions such as Kali Linux and Samurai WTF
– Provide recommendations for advancing the enterprise security architecture practice, security policies, and security control standards to enhance operational practices
– Proactively conduct security threat analysis and recommend solutions to manage network, systems and application vulnerabilities.
– Work with systems administrators and hosting providers to ensure authentication security tools such as Two Factor Authentication are deployed securely, and that service accounts and other highly privileged and administrator/support accounts are restricted as much as possible
– Bachelor’ss degree in Computer Science, Engineering, Sciences, Mathematics (or related disciplines).
– 8+ years of security architecture experience.
– Specific Information Security related experience including encryption, IDS/IPS, Firewalls, SEIMs and Log Management, syslog analysis, HTTP and TCP/IP analysis, and vulnerability assessment.
– Strong understanding of information system security vulnerability assessment/testing on a wide variety of technologies and implementations utilizing both automated tools and manual techniques such as: XSS/CSRF, SQL Injection, Buffer Overflow, and DoS attacks.
– Significant hands on experience with manual web application assessment and penetration testing methods related to web application mapping, reviewing client-side controls, testing user-input fields, and attacking session management, authentication, access controls, encryption, and backend databases/data stores
– Knowledge of securing cloud based systems (AWS, Azure, private clouds etc)
– In-depth knowledge of mapping business requirements to technology and ability to identify security gaps at the architecture level.
– Proven ability to clearly document and communicate security findings, risk description, risk level, and recommended solutions to stakeholders.
– Industry information security certifications: OSCP/OSCE/OSWE, GPEN, GWAPT, CEH, CISSP.
– Experience in performing static code analysis tools such as HP Fortify, Veracode, or IBM AppScan Source
– Good understanding of the components of a secure SDLC
– Understanding of networking, operating systems such as Linux and Windows..
– Demonstrated knowledge of security industry standards and best practices such as OWASP and NIST.
– Excellent interpersonal, analytical and problem-solving skills.
– Proven ability to manage multiple tasks/projects.
– GCIH, GCTI, CISSP, CEH, or other relevant certification preferred
– Experience with and knowledge of packet flow, TCP/UDP traffic, firewall technologies, IDS technologies (e.g., Snort rules), proxy technologies, and antivirus, spam and spyware solutions
– Experience conducting analysis of electronic media, packet capture, log data and network devices in support of intrusion analysis or enterprise level information security operations
– Experience with Nessus, Metasploit, Burp Suite Pro, Kali Linux tools, programming / scripting exposure (Python, Perl, C, Bash, PHP, Node)
To apply for this job please visit itjobpro.com.