Constellation Energy Corp.
Senior Cyber Security Vulnerability Management Analyst (Remote)
Constellation Energy Corp., Chicago, Illinois, United States, 60290
COMPANY OVERVIEWAs the nation's largest producer of clean, carbon-free energy, Constellation is a company purposely-built to meet the challenges of the climate crisis. Constellation has been the leader in clean energy production for more than a decade and we are growing our company and capabilities. Now, we're accelerating, speeding our low-carbon or no-carbon power to more people in more places, day and night, providing our customers and communities with options to buy, manage and use energy as part of their decarbonization mission. The race is on to confront the climate crisis and Constellation is ready to meet the challenge. Come join us as we lead energy, together.TOTAL REWARDSConstellation offers a wide range of benefits and rewards, designed to help our employees thrive professionally and personally. In addition to highly competitive salaries, we offer a bonus program, 401(k) with company match, employee stock purchase program; comprehensive medical, dental and vision benefits, including a robust wellness program; paid time off for vacation, holidays and sick days; and much more.Expected salary range of $115,200 to $128,000, varies based on experience, along with comprehensive benefits package that includes bonus and 401(k).PRIMARY PURPOSE OF POSITIONThe Senior Cyber Security Vulnerability Management Analyst will be expected to conduct formal tests on web-based applications, networks, and other types of computer systems on a regular basis and determines/documents deviations from approved configuration standards and/or policies. This role will also be expected to work on physical security assessments of servers, computer systems, and networks. Along with these tests and assessments, this role will conduct regular security vulnerability assessments, scans from both a logical/theoretical standpoint and a technical/hands-on standpoint and recommend appropriate mitigations and/or remediation efforts. This role will enhance security services provided by the Cyber Vulnerability Detection and Management team. This is a hands-on role requiring expert technical skills across a wide range of IT/OT systems, applications, and infrastructure.PRIMARY DUTIES AND ACCOUNTABILITIESPerforming security architecture reviews of applications in design and production phases.Identifying security recommendations, potential threats and attacks to applications systems through threat modeling and vulnerability assessment.Consulting with developers on integrating security processes and tools into DevOps processesWorking with application development teams to develop solutions to remediate security vulnerabilities.Improving secure coding practices, application security requirements, automation, training and metrics.Maintaining an active understanding of industry practices for secure software development.Play an active role in counseling and mentoring junior Cybersecurity team members.Understanding of or experience in Agile Development Environment.Problem solving and troubleshooting with eye for details.Good communication and presentation skills.Ability to work in both collaborative and independent work environments.Proven ability to work as DevSecOps practioner.Design automation workflows and capabilities in support of data collection, investigation and incident response.Develop threat hunting and data analysis strategy and capabilities.Identify and propose new technologies, methodologies and/or approaches to detecting malicious activity.Utilize indicators to scope and respond proactively to emerging threats.Design, build, configure, maintain and monitor cybersecurity threat defense capabilities and user access management.MINIMUM QUALIFICATIONSBachelors degree in Information Technology, Cybersecurity, or Computer science plus 5-8 years of relevant experience or, in lieu of a degree a minimum of 9-12 years of relevant experience.Experience in performing application security vulnerability assessment using either manual penetration testing and source code techniques or automated commercial SAST/DAST/IAST/SCA/OSA tools.Experience in performing security architecture/threat modeling.Experience in evaluating application security programs for clients and developing key elements of the program as part of the enhancement process and developing internal vulnerability assessment and management processes.Ability to learn and adapt to integrate application security to different CI/CD systems and apply automation as needed.Minimum 2 years of experience working in Agile development, application security, or DevOps role, with experience in the following technologies:
Containers (Docker, Kubernetes, etc.)Infrastructure as code (Chef, Terraform, etc.)Continuous integration (Jenkins, Github, TeamCity etc.)Integration of Security testing tools like Fortify , ShiftLeft, Check Marx , Invicti, WhietSource into pipelineDefect tracking (Jira, ServiceNow etc.)Source code management (GitLab, GitHub, BitBucket, etc.)Developing enterprise applications or scripts for security testing (security as code)Cloud environment (AWS, Azure, GCP) and various Unix-like distributionsKnowledge of networking, infrastructure and applications from a DevOps perspective with a security focus;Experience in programming or scripting languages;Broad knowledge of security control techniques and how they can be applied in a traditional IT environment as well as cloud-based systemsGood technical knowledge of Microservice oriented solutions, APIs, Azure AD and common cloud authentication patternsSecurity Cert ( Sec +, CEH, CCSP, GSEC)
PREFERRED QUALIFICATIONSCloud DevOps Certification (Azure, GCP, AWS).Graduate degree in cyber security or related area of expertise.Relevant security certifications (CISSP, CISM, OSCP, GIAC).Demonstrated expert technical skills with various penetration testing technologies and tools.Demonstrated experience and subject matter knowledge in cyber and information security for applications, web architectures, operating systems, databases, and networks.Demonstrated experience and subject matter knowledge of SCADA, ICS, Distribution Automation, Smart Grid, DMS, and ECS systems architecture in relation to evaluating risk.Demonstrated experience and proven capabilities in network vulnerability assessment, application vulnerability assessment, application security architecture development, web application security, and application security testing.Demonstrated experience in addressing regulatory compliance for the security requirements in applicable laws and regulations, such as NERC CIP, SOX, PCI DSS, and HIPAA.Solid understanding and experience with security development lifecycle (SDL) processes for internally developed applications, including the web-based and Internet facing components.Demonstrated knowledge and experience in application security standards, methodologies, and technologies.Solid understanding to assess application and web architectures and operating systems for vulnerabilities and develop appropriate security countermeasures.Solid knowledge and experience with IT security aspects of operating systems, Active Directory, database (SQL) access, LDAP, Microsoft SharePoint, and web server configurations.Demonstrated experience in assessing and testing security applications and systems, such as Cisco firewalls, security appliances, IDS/IPS, SSL or TLS, IPSec, and web services security.Ability to demonstrate analytical skills, technical knowledge, and practical application of cyber and information security principles to business leaders and technical staff.
#J-18808-Ljbffr
Containers (Docker, Kubernetes, etc.)Infrastructure as code (Chef, Terraform, etc.)Continuous integration (Jenkins, Github, TeamCity etc.)Integration of Security testing tools like Fortify , ShiftLeft, Check Marx , Invicti, WhietSource into pipelineDefect tracking (Jira, ServiceNow etc.)Source code management (GitLab, GitHub, BitBucket, etc.)Developing enterprise applications or scripts for security testing (security as code)Cloud environment (AWS, Azure, GCP) and various Unix-like distributionsKnowledge of networking, infrastructure and applications from a DevOps perspective with a security focus;Experience in programming or scripting languages;Broad knowledge of security control techniques and how they can be applied in a traditional IT environment as well as cloud-based systemsGood technical knowledge of Microservice oriented solutions, APIs, Azure AD and common cloud authentication patternsSecurity Cert ( Sec +, CEH, CCSP, GSEC)
PREFERRED QUALIFICATIONSCloud DevOps Certification (Azure, GCP, AWS).Graduate degree in cyber security or related area of expertise.Relevant security certifications (CISSP, CISM, OSCP, GIAC).Demonstrated expert technical skills with various penetration testing technologies and tools.Demonstrated experience and subject matter knowledge in cyber and information security for applications, web architectures, operating systems, databases, and networks.Demonstrated experience and subject matter knowledge of SCADA, ICS, Distribution Automation, Smart Grid, DMS, and ECS systems architecture in relation to evaluating risk.Demonstrated experience and proven capabilities in network vulnerability assessment, application vulnerability assessment, application security architecture development, web application security, and application security testing.Demonstrated experience in addressing regulatory compliance for the security requirements in applicable laws and regulations, such as NERC CIP, SOX, PCI DSS, and HIPAA.Solid understanding and experience with security development lifecycle (SDL) processes for internally developed applications, including the web-based and Internet facing components.Demonstrated knowledge and experience in application security standards, methodologies, and technologies.Solid understanding to assess application and web architectures and operating systems for vulnerabilities and develop appropriate security countermeasures.Solid knowledge and experience with IT security aspects of operating systems, Active Directory, database (SQL) access, LDAP, Microsoft SharePoint, and web server configurations.Demonstrated experience in assessing and testing security applications and systems, such as Cisco firewalls, security appliances, IDS/IPS, SSL or TLS, IPSec, and web services security.Ability to demonstrate analytical skills, technical knowledge, and practical application of cyber and information security principles to business leaders and technical staff.
#J-18808-Ljbffr