The Associate Web Application Security Engineer executes routine information security operations activities such as deploying, monitoring, analyzing, improving, troubleshooting a secure systems development life cycle. With guidance from management and senior staff, supports management and staff in implementation of appropriate application and data security procedures and products. Assists senior staff in the evaluation, development, implementation and operational aspects of security standards, procedures and guidelines for multiple platforms and diverse systems environments
- Review, monitor and/or audit applicable daily Security Log Activity and Events. Take action as necessary; escalate to senior staff if required. Logs include, but are not limited to the following:
Group Policy Changes
Active Directory Changes
Web Activity and Traffic
Firewall and ACL Changes
Vulnerability Scans – Kubernetes/Containers
Vulnerability Scans – Database
Vulnerability Scans – PCI ASV
Web Application Firewall
SAST Scan Results
DAST Scan Results (e.g. Acunetix, Burp Suite, Nessus, etc)
- Monitor Security Dashboard and take action as needed
- Monitor daily AppSec Theat Intelligence – make actionable, where applicable
- Monitor Security related tickets submitted to Helpdesk and take necessary action to resolve them or escalate them to Team Leader- Security
- Monitor and Maintain iHerb Security training and phishing campaigns
- Participate, review and advise on the security of new iHerb web applications, API’s and Mobile Applications
- Manage remediation of any findings from internal or external assessments
- Participate in the Security Incident Response Team
- Champion the Security & Privacy Awareness Program
- Perform User Administration for key security tools and systems
- Perform Key Management Administration for encryption keys and secrets
- Maintain knowledge of new and emerging threats and risks to the organization: tactics, techniques and procedures of advanced attackers. Advise and implement threat mitigations.
- Participate in Compliance programs (such as PCI) by helping implementing and documenting controls, examining evidence for compliance to standards.
- Coordinate and conduct Risk Assessments in accordance with iHerb Policies and Standards working with business units to remediate findings.
Knowledge, Skills and Abilities:
- Possess an understanding of PCI Compliance and EU GDPR Requirements
- Familiar with SQL Server Administration and Queries
- Knowledge of common scripting and application development languages (e.g. PowerShell, C#, Python, T-SQL etc.) and/or the ability to learn is required.
- Provide support for strategic business process/reengineering consulting as appropriate and work on multiple technically complex high profile projects.
- Demonstrate an understanding of key IT operational policies, processes and methodologies applicable to governance, risk management and compliance.
- General understanding of security fundamentals and general security technologies, including operating systems, network security (firewalls, VPNs, etc.), security event management, business continuity, physical security, identity management, directory services, etc.
- Familiar with OWASP Top 10 (2013 and/or 2017 Version) vulnerability detection and mitigation
- Familiar with security of LANs, WANs, Firewalls, VPN, MPLS and related Network Applications
- Knowledge of Active Directory, DDNS, Group Policy, Microsoft Windows Server and Desktop operating systems
- Knowledge of Linux based Operating Systems, Logging and Troubleshooting
- Ability to work in fast paced, rapidly changing environment and a strong desire to learn
- 1 years’ experience IT/Information Security Audit and assessment.
- Knowledge of PCI DSS and EU GDPR
- Be a self-starter being able to manage and prioritize own workload and be a team player in a fast moving environment.
- Excellent verbal and written communications skills
- Two years' experience in information systems as a system administrator, application developer, or network administrator with at least two of those with direct information security duties
- 1-year experience with application and network security
- 1-year experience researching, analyzing and recommending information security solutions
- 1-year experience identifying, assessing, and re-mediating technical security vulnerabilities
- A working knowledge of information security practices and concepts including intrusion detection/ prevention, access controls, risk analysis, vulnerability scanning, and data encryption
- Ability to investigate information security events discretely
- Strong organizational excellent written, verbal and interpersonal communication skills are needed to work effectively with a wide variety of staffs, outside consultants and vendors.
- Bachelor’s Degree in Information Technology, Information security, Computer Science, or related field required.
- Certified Information Systems Security Professional (CISSP) certification.
- Certified Ethical Hacker (CEH)
- SANS/GIAC Certifications