You work for a large, global, multinational corporation. The company its offices around the world are connected with a worldwide private network. The company maintains a central data center in Europe and individual local data centers in the countries where it operates. It works with large global vendors; including one to manage telecommunications (called SBO), one to maintain the servers (called PRO), and a cloud solution provider (called CSP) with its software as a service products for business environment incl. email service, office applications, personal productivity and collaboration tools etc. The Company’s current strategy is to replace the legacy collaboration tools with modern cloud-based digital solutions that allow to collaborate securely anywhere and on any device.
- Understand and implement the secure SDLC process including Policy and Compliance, Threat Assessment, Education and Guidance, Security Requirements, Secure Architecture in project under development;
- Has solid knowledge on OWASP top 10;
- Has an experience on OWASP ASVS Implementation and verification;
- Has an experience with OWASP Software Assurance Maturity Model (OSAMM);
- Has a solid knowledge on Cloud security and can configure and assess security settings in SaaS/PaaS solutions.
- Make decision regarding the security on development process in specific project/team;
- Estimate overall business risk profile;
- Classify data and applications based on business risk. Establish a simple classification system to represent risk-tiers for applications. In its simplest form, this can be a High/Medium/Low categorization;
- Build and maintain compliance guidelines. Create policies and standards for security and compliance;
- Conduct technical and role-specific application security awareness training;
- Build and maintain technical guidelines;
- Build and maintain application-specific threat models (OWASP Threat Dragon/MS Threat Modeling Tool) and as a result explicitly apply security principles to design;
- Explicitly evaluate risk from third-party components;
- Derive security requirements from business functionality.