No matter what your job title, the work you do at Kaiser Permanente supports the health and well-being of our members. All 8.7 million of them. That's because each of us-from our financial professionals and IT team members to our RNs and physicians on the front line of care-shares a commitment to providing the best possible care experience. With locations across the United States, we offer the opportunity to build a rewarding career in an environment that supports your success. Join us and put your beliefs into practice.
Description
As a member of the KP Information Security team, the Application Security Consultant is responsible for application security initiatives that help secure KP applications and data.
This position supports, compliance and the Principles of Responsibility (Kaiser Permanente's Code of Conduct) by maintaining the privacy and confidentiality of information, protecting the assets of the organization, acting with ethics and integrity, reporting non-compliance, and adhering to the applicable federal, state and local laws and regulations, accreditation and license requirements (if applicable), and Kaiser Permanente's policies and procedures.
Essential Functions:
This individual will help set the direction and be responsible for the rollout and operation of the following services:
Web Application Firewall (WAF)
Identify applications that will be protected by the WAF
Tune WAF rules, review alerts, identify issues
Static code analysis
Review automated static code analysis results and perform manual code reviews
Work with developers and application owners to integrate static code analysis functionality into the SDLC
Train staff on the use of static analysis tools and code review
Web Application Scanning
Review results from automated tools
Perform manual application testing (minimal)
Work with applications owners to set up automated scans of target applications
Train staff on web application security issues and scan results
Work with developers and application owners to mitigate application security vulnerabilities that are discovered
Accountable for analyzing, validating, and planning application security services to expand coverage throughout KP
Develop and deliver metrics to measure progress and improvement for all services
Contribute to overall strategy and roadmap for continuous improvement of application security capabilities
Accountable for identifying technical and process deficiencies and risks with current or new systems and recommends risk management strategies
Opportunity to expand responsibilities into project and technical management roles
Working Relationships:
KP Application Owners
KPIT Network Operations
KPIT Infrastructure Management Group
KPIT Enterprise Architecture
KP Management and Executives
National Compliance Office
IT Compliance
Internal Audit
Regional and Line of Business Information Security Officers
KP Information Technology Service Delivery team
Solution providers / vendors
Qualifications:
Qualifications
Bachelor's in Engineering, Computer Science or related field or 4 additional years of equivalent work experience in lieu of degree
Must have a security background and an understanding of risk based approaches to prioritizing activities.
Must be able to effectively communicate with business partners risk in non-technical terms.
At least 10 years of systems experience with application development, application security, information security, networking in a large-scale (1000+ servers), customer facing, highly available, distributed environment.
Solid understanding of web application security issues
Solid understanding of common development languages and platforms such as Java/JEE, ASP.NET < http://asp.net/ >, C#, PHP, JavaScript, Flash, etc
Experience with Web Application Firewalls like Imperva and F5
Experience with Static Code Analysis tools like Fortify and Quality Center.
Experience with Web Application Scanners like Rational AppScan, HP WebInspect, Cenzic, WhiteHat
Experience with other web application testing tools like Burp, WebScarab, Paros, etc.
Thorough understanding of the rapidly changing computing landscape; its security related risk; and how to be proactively prepared for that change.
Strong communication and leadership skills with the demonstrated ability to lead and influence technical professionals across the enterprise including education of fellow technology staff on detailed security requirements.
Ability to evaluate risk based on situation and adapt security controls to match the risk.
External hires must pass a background check/drug screen.
We are proud to be an equal opportunity/affirmative action employer.