Senior Vulnerability Code Analyst

Job Description Job Description POSITION SUMMARY: CODICE seeks a highly skilled Senior Vulnerability Code Analyst specializing in Ruby-on-Rails to join our team. This role is critical in ensuring the security of our client’s platforms by performing thorough vulnerability code analysis prior to the deployment of every change. The ideal candidate will possess deep technical expertise in both Ruby on Rails and security practices, including extensive experience in code analysis and secure coding principles. ESSENTIAL FUNCTIONS Duties and Responsibilities Conduct vulnerability code analysis on the client’s platforms, with a focus on Ruby-on-Rails applications. Perform security assessments prior to the deployment of every code change. Utilize static and dynamic code analysis tools to identify potential vulnerabilities and security risks. Conduct threat modeling and risk assessments for new and existing applications. Work closely with development teams to remediate identified vulnerabilities and implement secure coding practices. Provide guidance and mentorship on secure coding principles and best practices. Stay current with emerging security threats and vulnerabilities, particularly those affecting Ruby-on-Rails applications. Collaborate with the CISO and other security team members to enhance overall application security posture. Develop and maintain security standards and guidelines for Ruby-on-Rails development. Participate in the software development lifecycle to ensure security is integrated at every stage. Conduct code reviews with a security focus and provide actionable feedback to developers. Assist in the selection and implementation of appropriate security tools and technologies. Contribute to the development of security policies and procedures related to application security. Prepare detailed reports on vulnerability assessments and remediation recommendations. Knowledge, Skills and Abilities o Coding Languages Ruby Demonstrated expert-level proficiency in Ruby programming language In-depth understanding of Ruby on Rails framework and its security implications Experience with Ruby version management tools (e.g., RVM, rbenv) Familiarity with Ruby testing frameworks (e.g., RSpec, Minitest) Additional Languages Demonstrated familiarity with at least one of the following: PHP: Understanding of common PHP frameworks and their security considerations Bash: Ability to write and analyze shell scripts for potential vulnerabilities PowerShell: Knowledge of PowerShell scripting and its security implications in Windows environments Python: Familiarity with Python scripting, especially in the context of security tools and automation o Code Analysis Tools Static Analysis Tools Demonstrated expertise with tools such as: Fortify: Ability to configure, run, and interpret results from Fortify static code analysis Checkmarx: Experience with Checkmarx SAST and its integration into CI/CD pipelines Veracode: Proficiency in using Veracode's static analysis capabilities SonarQube: Skill in setting up and managing SonarQube for continuous code quality and security checks o Dynamic Analysis Tools Demonstrated expertise with tools such as: Burp Suite: Advanced knowledge of using Burp Suite for web application security testing OWASP ZAP: Experience in configuring and using ZAP for automated and manual security testing o Fuzzing Tools and Techniques Familiarity with fuzzing concepts and tools Experience with tools like AFL (American Fuzzy Lop) or libFuzzer Understanding of how to integrate fuzzing into the development and testing process o Security Technologies and Concepts Vulnerability Knowledge Demonstrated expert knowledge of common cyber security vulnerabilities, including: In-depth understanding of the OWASP Top Ten and how they apply to Ruby on Rails applications Comprehensive knowledge of the CWE/SANS Top 25 Most Dangerous Software Errors Ability to identify and explain less common vulnerabilities specific to Ruby on Rails Attack Vectors Understanding of various attack methodologies used against web applications Knowledge of how these attacks can be executed and mitigated in a Ruby on Rails environment Secure Coding Practices In-depth knowledge of secure coding practices for Ruby on Rails Understanding of input validation, output encoding, and other security controls specific to web applications Familiarity with Ruby on Rails security features and best practices SDLC Security Comprehensive understanding of how to integrate security into each phase of the Software Development Life Cycle Experience with security practices in Agile and DevOps environments o Vulnerability Management Threat Modeling Experience with threat modeling methodologies (e.g., STRIDE, DREAD) Ability to create and analyze threat models for Ruby on Rails applications Skill in identifying potential threats and proposing appropriate mitigations Risk Assessment Proficiency in conducting risk assessments for web applications Ability to prioritize vulnerabilities based on their potential impact and likelihood Experience in using risk assessment frameworks and methodologies Remediation Process Management Proven experience in managing the vulnerability remediation process Ability to work effectively with development teams to ensure timely fix of security issues Experience in tracking and reporting on remediation progress Skill in providing clear, actionable guidance for addressing identified vulnerabilities QUALIFICATIONS Required Education: Bachelor's degree in Computer Science, Information Security, Software Engineering, or a related field Required Experience: § Minimum of 5 years of experience in application security, with a specific focus on Ruby on Rails applications § Demonstrated track record of identifying and mitigating security vulnerabilities in complex web applications § Experience working in an Agile development environment and integrating security into CI/CD pipelines § History of successful collaboration with development teams to implement security best practices § Strong analytical and problem-solving skills with attention to detail § Excellent communication skills (both written and verbal) for explaining complex security concepts to various stakeholders § Ability to work effectively in a team environment § Self-motivated with a passion for continuous learning in the rapidly evolving field of application security Preferred Education: Advanced degree (Master's or Ph.D.) in a relevant field is a plus Preferred Licensure/ Certification: Offensive Security Certified Professional (OSCP) Demonstrates hands-on ability to identify and exploit vulnerabilities Indicates a strong understanding of offensive security techniques GIAC Web Application Penetration Tester (GWAPT) Shows specialized knowledge in web application security testing Indicates proficiency in identifying and exploiting web application vulnerabilities Certified Secure Software Lifecycle Professional (CSSLP) Demonstrates comprehensive knowledge of secure software development practices Indicates understanding of security considerations throughout the entire software lifecycle Company Description CODICE provides innovative solutions in health information management for the full lifecycle of healthcare finance and compliance operations. Our customized knowledge-based software helps manage healthcare costs. At the heart of CODICE services are our technology competencies. Paired with our unparalleled process methods, these competencies deliver solutions and results that become an integral part of our clients success. CODICE's technical expertise can be leveraged for full system development, project management or staff augmentation. CODICE areas of expertise include: SYSTEM DEVELOPMENT: Fully customized development from requirements to testing. ENTERPRISE CONTENT MANAGEMENT: System implementations for content management, digital assets, web content and record keeping. SYSTEM INTEGRATION: Expert integrations using open standards, APIs, and a comprehensive toolkit to seamlessly link applications. DATA WAREHOUSING & BUSINESS INTELLIGENCE: Data collection and analysis from multiple sources into a single access point portal that provides tools for key business functions. Company Description CODICE provides innovative solutions in health information management for the full lifecycle of healthcare finance and compliance operations. Our customized knowledge-based software helps manage healthcare costs. At the heart of CODICE services are our technology competencies. Paired with our unparalleled process methods, these competencies deliver solutions and results that become an integral part of our clients success. CODICE's technical expertise can be leveraged for full system development, project management or staff augmentation. CODICE areas of expertise include: SYSTEM DEVELOPMENT: Fully customized development from requirements to testing. ENTERPRISE CONTENT MANAGEMENT: System implementations for content management, digital assets, web content and record keeping. SYSTEM INTEGRATION: Expert integrations using open standards, APIs, and a comprehensive toolkit to seamlessly link applications. DATA WAREHOUSING & BUSINESS INTELLIGENCE: Data collection and analysis from multiple sources into a single access point portal that provides tools for key business functions. #J-18808-Ljbffr