SUMMARY

The Software Security Specialist analyzes software designs and implementations from a security perspective, and identify and resolve security issues. This will include the appropriate security analysis, defenses and countermeasures at each phase of the software development lifecycle, to result in robust and reliable software, including the implementation of software into the MERS production environments.

ESSENTIAL DUTIES AND RESPONSIBILITIES include the following:

•Implement, test and operate advanced software security techniques in compliance with MERS technical architecture standards and existing environments

• Perform on-going security testing and code review to improve software security

• Troubleshoot and debug issues that arise

• Provide recommendations/designs for new software solutions to help mitigate security vulnerabilities

• Contribute to all levels of architecture design and modifications

• Maintain technical documentation as needed

• Establish and enforce secure coding practices on both internal systems and with contracted vendors

• Lead implementation of software into MERS production environment to minimize production environment access from external resources as much as possible.

• Maintain an executable source code repository for all custom code where MERS/Vendor agreements for source code exchanges have been made.

• Understand and apply Authentication/Authorization/Accounting (3 A’s) principles

• Understand and apply principles of the Secure System Development Life Cycle in MERS Software Development Life Cycle

• Develop and enforce Static Application Security Testing (SAST) techniques for MERS applications.

• Develop and enforce Dynamic Application Security Testing (DAST) techniques for MERS applications.

• Develop and maintain application scanning capabilities

• Develop and maintain automated security scenario testing practices

• Assist with MERS implementation of release management within MERS environments

• Develop a familiarity with new software security/development tools and best practices

EDUCATION and/or EXPERIENCE

• BS degree in Computer Science, Information Security or related field

• 3 years minimum work experience as a software developer

• Software development experience in any of the following core languages: Ruby on Rails, Java, Javascript, C/C++ and ASP.NET, PHP

• Experience with industry-standard vulnerability management tools, including but not limited: to Rapid7 Nexpose and Metasploit Pro, and Rapid7 Insight IDR.

• Detailed technical knowledge of techniques, standards and state-of-the art capabilities for authentication and authorization, applied cryptography, security vulnerabilities and remediation

• An understanding of the vulnerability identification, analysis, and scoring standard Common Vulnerability Scoring System (CVSS), as well as Common Vulnerabilities and Exposures (CVE)

• Adequate knowledge of web related technologies (Web applications, Web Services and Service Oriented Architectures) and of network/web related protocols

• Demonstrated knowledge of information security programs and operations, data security practices and procedures, and risk identification/assessment

• Experience with / understanding of different threats to an organization

• Experience as a software security specialist or engineer preferred

• Preferred certifications: CSSLP, GIAC (e.g., GCIH, GCIA, GCFA, etc.), CEH, OSCP, CISSP, or Security+

Major duties and responsibilities are listed above. This list indicates the kinds of work the person does, but in no way limits or modifies a supervisor’s right to change jobs or assign additional or different work to employees.

QUALIFICATIONS

• Strong problem-solving and critical-thinking skills with the ability to diagnose and troubleshoot technical issues

• Ability to analyze complex problems, interpret operational needs, and develop integrated, creative solutions

• Proficient in relational database management system concepts

• Strong interpersonal skills and ability to deal effectively in a team environment.

• Strong influence skills, the ability to network and build consensus

• Ability to respond effectively to the most sensitive inquiries or complaints.

• Advanced knowledge of Microsoft technologies and platforms

• Excellent verbal and written communication skills, including the ability to convey technical details in a clear and understandable manner to a variety of audiences

• Must be able to work independently, prioritize assignments and meet deadlines

• Interest in all aspects of security research and development

• A strong desire for continuous process improvement and excellence

• Strong planning, time-management, and organizational skills

• Ability to remain calm in stressful situations

PHYSICAL DEMANDS

The physical demands described here are representative of those that must be met by an employee to perform successfully the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• While performing the duties of this job, the employee is occasionally required to stand; walk; sit; use hands to finger, handle, or feel objects, tools or controls; reach with hands and arms; climb stairs; balance; stoop, kneel, crouch or crawl; talk or hear; taste or smell.

• The employee must occasionally lift and/or move up to 25 pounds.

Specific vision abilities required by the job include close vision, distance vision, color vision, peripheral vision, depth perception, and the ability to adjust focus.

WORK ENVIRONMENT

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Location: All work of this position will be performed on site at MERS main office.

• Weather: While performing the duties of this job, the employee is not exposed to weather conditions.

• Noise: The noise level in the work environment is usually moderate.