Senior Security Consultant - Devsecops

Description

We live in and work in a rapidly evolving digital world where cyber security is critical.  Protecting information and ensuring the reliability of network and services is paramount. The TELUS Health CSO team strives to always be steps ahead, tackling the toughest cyber security challenges head-on with top talent and cutting-edge technology.  

The TELUS Health CSO team is committed to providing excellence in securing our internal and customers’ data and systems, ensuring world-class reliability of security networks and systems, and improving our overall cyber security posture. We manage our cyber risks and provide industry leading cyber governance, assurance and oversight to secure our data. 

You’ll partner with industry leaders to meet the cyber security needs of both TELUS Health and our customers to meet the demands of an increasingly complex and ever-changing cyber security landscape. We are passionate about learning and growing as individuals and as a team, all of which enables us to thrive in a dynamic, fast-paced environment.

The role will support the manager of DevSecOps within TELUS Health Chief Security Office in leading the engineering of security at scale within the secure software development cycle, representing CSO.

This individual contributor role will help assess product’s security maturity through consultation, select and implement security controls within their pipelines (WAF, SAST, DAST, IAST, SCA), act as a SME for addressing security vulnerability validation and remediating those findings. This individual will act as a product security evangelist and contribute greatly to the development and implementation of the security champion program. The individual will also be involved in promoting security awareness, disaster recovery planning, testing and corporate security policy maintenance and enforcement as well as threat and risk assessments.

Working as a partner to the product teams and TELUS Health Cloud program, this role will drive the adoption of secure Cloud and application security within the pipelines and processes of the product.

• Provide training and awareness sessions to application development teams, highlighting the benefits of web application layer protection services, and demonstrating exploitation of confirmed security vulnerabilities
• Perform comprehensive Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Software Composition Analysis (SCA) to identify vulnerabilities
• Review security scan results and work closely with the development team to prioritize security vulnerabilities using a risk-based approach
• Identify vulnerabilities and weaknesses through web and mobile application security assessments, code reviews, threat modeling, vulnerability scanning, and manual application penetration testing
• Provide actionable recommendations and guidance to improve the security posture of applications and their supporting technology infrastructure
• Collaborate with stakeholders to develop and enhance security policies, procedures, and risk management strategies
• Lead key security initiatives, manage projects, and work collaboratively with cross-functional teams
• Work across product teams to integrate security into the SDLC / CICD pipeline through consideration of security at each step. Extension of security into the design, developer environment (IDE), software composition analysis, static assessment, and dynamic assessment as part of the local CICD pipeline
• Drive consistency of control and solution across the tooling applied within each product team. Whilst a single solution will not always be desirable, seek out consolidation where possible and ensure all solutions have consistent levels of security
• Identify, justify and promote the use of shared security services or patterns (e.g. Web Application Firewalls) that can deliver consistent security protection without impeding local product agility or effectiveness
• Ensure product development teams have the right level of security expertise to operate their aspects of the security operating model
• Work with the SecOps team to define response playbooks for application security incidents, and seek out automation for common events to ensure sustainable T1/T2 operation
• Work with the SecOps team to define the runbooks for application security tooling operated by the CSO team, ensuring sustainable security operation across TH’s portfolio of applications

What you bring

• University degree or equivalent industry experience
• Strong communication, presentation, and relationship skills, especially the ability to articulate technical topics
• Knowledge of security and industry standards (e.g., ISO, NIST, ITIL, etc)
• Knowledge and practical experience any of the following OWASP top 10, OWASP Web application Security Testing Guide (WSTG), OWASP (Mobile) Application Security Verification Standard (MASVS/ASVS), BSIMM, and OpenSAMM
• CISSP, CCSP, CRISC or similar Cloud certification are preferred.
• Practical Cloud security experience with appropriate certification spanning GCP and either AWS or Azure
• Experience working on enterprise Cloud services deployments (SaaS, PaaS, IaaS) and understand security challenges involved in Cloud migration, adoption and operation
• Experience deploying and migrating to/from private Cloud environments
• Experience with virtual machine management, container orchestration, API management and secure use of serverless technologies
• Knowledge of application security, software development with security concepts and integration into the development pipelines.
• Experience across SCA, SAST, DAST, and IAST
• Experience working with proxy intercept tools such as Burp Suite Pro or OWASP ZAP
• Integration experience across pipelines and orchestration tools such as Jenkins, source repositories (e.g. GitHub, bitBucket etc), Integrated Development Environments, and testing tools
• Experienced with agile delivery teams and environment
• Experienced working in a DevOps / SRE operation
• Experience with application security capabilities including Web Application Firewalls, DDoS mitigation, Bot prevention, and associated threat management controls
• Familiarity with pipelines, automation and scripting
• Performed threat modeling and design reviews assessing security implications and requirements introducing new technologies (STRIDE)
• Performed security design/architecture reviews, code reviews, and penetration tests of large applications, systems and/or networks

Nice to haves

• Professional security certifications: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and others
• Industry-recognized certifications would be an asset. (i.e., OSCP, OSWE, ECDE, Burpsuite Certified Practitioner, GWAPT, eWPT, GMOB, eMAPT etc.)
• Experience within a regulated business environment
• An insatiable appetite for modern and emerging technologies and tools

#Li-Remote