Senior Security Assurance Analyst
  • United Arab Emirates Dubai
  • The Emirates Group
1 year before
31.12.2023
Securely Provision
Risk Management
Job Description

Job Purpose: 1. JOB PURPOSE Develop, implement, lead and continuously improve the security verification and testing processes consisting of but not limited to risk assessments, compliance reviews, vulnerability assessments and penetration tests based on industry best practices and as defined by the assurance. Collaborate with the team in developing the assurance program on an ongoing basis to incorporate industry best practices, offensive and defensive attack techniques. 0. JOB ACCOUNTABILITIES LINKED TO OBJECTIVE AREAS 0. Represent Cybersecurity assurance capabilities within the agile process as well as drive Cybersecurity best practices across the Emirates Group by executing in-depth automated and manual discovery of security vulnerabilities in web applications, mobile applications, web services and client server application and associated infrastructure 1. Research, recommend and implement formal methodologies and tools for conducting technical Cyber security risk assessments, reviews, and investigations. Perform impact analysis to achieve the security-by-design objective. 2. Monitor and continuously review the Emirates systems on an on-going basis, in compliance with the Emirates Group's Cybersecurity Policies, Principles and Standards. Initiate corrective actions in the event of any violations to aid effective risk-based decision making supported with data. 3. Plan and schedule regular vulnerability assessments, penetration tests, technical risk assessments and compliance reviews on the Group's Key IT infrastructure components and applications based on the criticality and perceived risk of the applications/services. 4. Ensure all the identified security weaknesses and risks are managed through their life cycle via product backlogs to ensure developments teams have a clear prioritization or can triage issues on a timely basis by providing knowledge transfer to the agile teams using meetings, walkthroughs, technical discussions, etc. 5. Develop documentation and a knowledge base to be used by developers for implementing Secure coding practices & provide recommendations for missing application & infrastructure security controls to facilitate secure-by-design culture. 6. Provide necessary knowledge transfer of the vulnerabilities found during the assessments to the software engineering teams by means of meetings, walkthroughs, technical discussions etc. for implementing appropriate security fixes. 7. Collaborate with development teams on improving security by offering design reviews, threat modelling, awareness, training, new tooling and expert review 8. Create tools, script, automation to make the vulnerability discovery and vulnerability management process more consistent, repeatable and increase efficiency.
Qualifications & Experience: Qualifications: Degree in IT or equivalent. An information security related industry recognised certification such as CISSP, CISA, CISM, GIAC certification, CEH etc. Knowledge/skills: (Secure SDLC) 1. Strong fundamentals of OS, Network and Programming Concepts 2. Deep technical knowledge of OWASP TOP 10 issues for both application & mobile 3. Deep technical knowledge of network and infrastructure security testing 4. Technical aptitude to test web services, API’s, business logic issues, cloud specific issues etc. 5. Develop high quality proof of concepts for vulnerabilities identified 6. Adaptive to newer attack vectors & technologies and its applicability 7. Proficient in using & implementing open source and commercial tools for application, mobile & thick client security testing 8. Experience in reviewing source code for varied programming languages 9. Experience building tools and automation to discover vulnerabilities at scale 10. Deep technical knowledge of browser security controls such SOP, CSP, XFO, HSTS, etc. 11. Knowledge of reviewing mobile & web-based security design, implementation & review. 12. Knowledge of industry standard authentication and authorization mechanism, Dockers, Kubernetes, 13. Certifications: 14. Offensive Security Certified Professional (OSCP) – Preferred 15. GIAC Web Application Penetration Tester (GWAPT) – Preferred 16. Certified Information Systems Security Professional (CISSP) – Preferred - Excellent interpersonal & communication skill
Salary & Benefits: Join us in Dubai and enjoy an attractive tax-free salary and travel benefits that are exclusive to our industry, including discounts on flights and hotels stays around the world. You can find out more information about our employee benefits in the Working Here section of our website www.emirates.com/careers. Further information on what’s it like to live and work in our cosmopolitan home city, can be found in the Dubai Lifestyle section.

Quick response
Required Knowledge
  • K0001   Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0002   Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0003   Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • K0004   Knowledge of cybersecurity and privacy principles.
  • K0005   Knowledge of cyber threats an`d vulnerabilities.
  • K0013   Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
  • K0027   Knowledge of organization's enterprise information security architecture.
  • K0037   Knowledge of Security Assessment and Authorization process.
  • K0044   Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • K0048   Knowledge of Risk Management Framework (RMF) requirements.
  • K0295   Knowledge of confidentiality, integrity, and availability principles.
  • K0342   Knowledge of penetration testing principles, tools, and techniques.
  • K0624   Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
Required Skills
  • S0034   Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • S0367   Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • S0001   Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
  • S0006   Skill in applying confidentiality, integrity, and availability principles.
  • S0027   Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0038   Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • S0078   Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
  • S0097   Skill in applying security controls.
  • S0147   Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
  • S0172   Skill in applying secure coding techniques.
Required Abilities
  • A0028  Ability to assess and forecast manpower requirements to meet organizational objectives.
  • A0033  Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
  • A0090  Ability to identify external partners with common cyber operations interests.
  • A0094  Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
  • A0111  Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
  • A0117  Ability to relate strategy, business, and technology in the context of organizational dynamics.
  • A0118  Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
  • A0119  Ability to understand the basic concepts and issues related to cyber and its organizational impact.
  • A0123  Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).