· You will contribute to Business Impact Assessments, Threat Analysis and Design Reviews for our web applications and services
· You will participate and contribute in application architecture and design reviews as a main technical security expert
· You will conduct white-box and black-box security code reviews and testing
· You will verify new services/application releases, platform configurations and infrastructure components before those are deployed into production
· You will plan, conduct and document vulnerability analysis for our key production components (e.g. Linux kernels, Apache, Tomcat, JBoss, MySQL, Java, PHP, NodeJS), providing recommendations, guidance and support for security patching and validation
· You will conduct continuous penetration testing and ethical hacking of our production services
· You will execute forensics analysis during and after security incidents in order to ensure proper mitigation actions have been taken and needed evidence is collected and stored as needed
· You will document and report the security findings, plan and provide the necessary mitigations
· You will coach developers to prevent and/or fix security issues
· You will evangelize service development teams on security best practices and deliver technical trainings and awareness sessions
Main interfaces:
· The Security, Privacy & Continuity teams
· The Data Center Operations and the Applications Operations teams
· The different business Service Lines and senior management
· The local R&D and development teams (including 3rd parties)
· Nokia partners and 3rd party suppliers
· The Legal department
Qualifications
Mandatory:
· Computer Science or Engineering degree or equivalent working experience
· Solid work experience in application and system security (5+ years)
· Solid understanding of secure application programming, ability to conduct security code reviews (Java, C++, Ruby, PHP, Perl, Python, SQL) and write tools and test cases to demonstrate security exploits
· Hands-on experience in performing penetration testing at platform and application layers (Web apps, REST APIs etc). Solid understanding of attack vectors and exploitation techniques for various vulnerabilities present in modern internet environment
· Strong knowledge of web technologies and standards: HTML, Javascript, JSON, XML, XHTML, SSL/TLS, REST, SOAP, SAML, OAuth, OpenID
· Strong knowledge of Linux, Oracle, MySQL, Apache, Tomcat, JBoss and other typical Services technology components
· Knowledge of network architecture, standards and protocols
· Good communication skills and ability to present to different type of audience (from top management to engineers)
· Self-motivated, able to work independently with minimal directions and supervision
· *Strong* professional ethics. Logical thinking.
Desired:
· Professional certifications like CEH, OCSP are considered a strong plus
· Holistic view and understanding of security principles, best practices, tools and processes
· Knowledge and experience in mobile application security testing
· Understanding of cloud computing solutions (e.g. Amazon EC2, Rackspace..) and their security challenges
