Perform
security assessments for on-going projects: both Architecture and
Implementation/Code Review

Contribute
in building secure architecture for the new projects or making corrections to existing
ones

Consult
on all 3rd-party application security penetration testing

Consult
on vulnerability response process, impact assessments and remediation plans

Recommend
design and code changes to meet product security objectives and remedy security
findings

Perform
unit-test if needed to verify a remediation or provide a proof-of-concept as
evidence of a vulnerability

Work
as a security advisor helping to establish secure development activities during
solution development

Communicate
with customers and teams, be able to convey the message about importance of
security, the ways of establishing it and the wrong ways of enforcing it (e.g.
do pen testing before release)

Knowledge
of at least one Security Development methodologies (e.g. Microsoft SDL, OWASP
CLASP etc)

Knowledge
of main Security-related activities in development such as Risk and Privacy
Assessment, Threat Modeling, Security Code Review

Deep
understanding of the nature of security threats and their classification

Knowledge
of most common implementations of the Threats (e.g. XSS, SQL Injection, XSRF,
buffer overruns, brute force, rainbow tables, DoS etc) and how they match the
general classification

Understanding
of main security principles, such as multi-layered protection (Defense in
Depth)

Understanding
of main areas of protection (Security, Privacy, Availability) and levels of
defense (networking, infrastructure, OS, Application)

Understanding
of mitigation mechanisms for every type of threats (e.g. validation, sanitizing,
crypto-operations etc)

Good
knowledge of Security Features and Mechanisms provided by at least one OS (e.g.
Windows, Linux, Android, iOS etc) and development platform/technologies (e.g.
Java, .NET Framework, databases etc)

Familiarity
with existing security standards (e.g. PCI DSS, HIPAA, NIST, Common Criteria
etc) and what does it mean to implement compliance with them

Familiarity
with the tools for various security activities: Static Code Analysis, Pen
Testing, Intrusion Detection/Prevention etc

Experience
with VAPT and familiarity with common security vulnerabilities, the lexicon of
findings (CVSS, CVE), ability to assess severity, etc

Understanding
of basic principles of infrastructure security and penetration testing

Ability
to use the tools to perform actual attacks is a plus

职能类别：网络信息安全工程师系统架构设计师

微信分享