IT Security Auditor

TheState of Michigan is looking for : IT SecurityAuditor

Pleasenote screening questions (attached) which are required to besubmitted along with biddocuments.

TopSkills & Years ofExperience :

3years implementing / utilizing Federal Industry and OpenSourceSecurity Guidance and Secure Coding Practices (OWASP Top 10 SANSCERT CWE Top 25 Critical Security Controls Cloud Security AllianceSafeCodeetc.)

3years with both compiled and interpreted languages such as AngularReact Node.js Java Spring Boot IBM WebSphere App server OracleJBoss .NETstacks

3years with networking infrastructure secure application developmentand security automation(DevSecOps).

3years of handson knowledge building and deploying secure complexdistributed web and mobileapplications.

Abilityto pass a CJIS backgroundcheck

Willclose submissions on : 8 / 26 at 10amEST.

InterviewProcess : Virtual Interview via MS Teams with 2nd round interviewsbeing held IN PERSON at the Dimondale MI office.

Candidatessubmitted MUST be willing to come onsite for a facetofaceinterview.

Ascreenshot photo of candidate will be required for any interviewsas well as a vendor present at beginning of virtual interview tovalidate candidate (see bid submission requirement attachment fordetails).

Duration : 1 year with possibleextension.

Positionwill be hybrid 2 days a week onsite and 3 days working from home.Candidates MUST be local at time of submission.

Hiring manager isnot currently interested in candidates who will need to relocate toaccept offer. NO REMOTE ONLY OPTION.

FullJob Description Attached Please note screening questions (attached)which are required to be submitted along with bid documents.

ITSecurity Auditor JobDescription

ShortJobDescription

SeniorFull Stack Application Development Security Auditor who ispassionate about designing and building secure platforms andapplications through Dynamic Static and Software CompositionAnalysis assessments.

This position is not a member of the SecurityOperations Center rather it is dedicated to working with softwaredevelopment teams on secure coding practices.

The ideal candidatewill feel comfortable working with both frontend backend andcloudbased application developers. Partnering with distributedteams to help transform the way systems are built securedauthorized and securely operated for continuous compliance and riskmitigation.

Specifically this candidate will help lead efforts toimplement security patterns and practices with orchestration andautomation tools that automate the secure configurationverification compliance and authorization of systems and theirdevelopment.

They will be a key member of a team tasked withmaturing the organizations secure software developmentpractices.

LongJobDescription

FunctionalKnowledge :

Chrome / Firefox / EdgeDevelopment tools to see the request / responseheaders

Experiencewith Application Security scanning tools (SAST DAST SCA ASOCContainer / Cloud) amust.

Experiencewith Coverity BlackDuck STRM Fortify aplus

HTTPRequest / Response headers for web and Restful APIcalls

Abilityto explain in detail any of the OWASP top 10vulnerabilities

CrossSite Scripting Injection attacks SSRF CSRF XML entityetc.

APISecurity

OAUTH / OIDC / PKCE

WebAPI replayattacks

Highlevelunderstanding ofcontainers

Clouddevelopment experience (Azure AWSGCP)

Minimumof 5 years of total IT relatedexperience.

3years implementing / utilizing Federal Industry and OpenSourceSecurity Guidance and Secure Coding Practices (OWASP Top 10 SANSCERT CWE Top 25 Critical Security Controls Cloud Security AllianceSafeCodeetc.)

3years with both compiled and interpreted languages such as AngularReact Node.js Java Spring Boot IBM WebSphere App server OracleJBoss .NETstacks

3years with networking infrastructure secure application developmentand security automation(DevSecOps).

3years of handson knowledge building and deploying secure complexdistributed web and mobileapplications.