Senior Cyber Security Vulnerability Management Analyst (Remote) - Military Veterans
at Constellation Energy
COMPANY OVERVIEW
As the nation's largest producer of clean, carbon-free energy, Constellation is a company purposely-built to meet the challenges of the climate crisis. Constellation has been the leader in clean energy production for more than a decade and we are growing our company and capabilities. Now, we're accelerating, speeding our low-carbon or no-carbon power to more people in more places, day and night, providing our customers and communities with options to buy, manage and use energy as part of their decarbonization mission. The race is on to confront the climate crisis and Constellation is ready to meet the challenge. Come join us as we lead energy, together.
TOTAL REWARDS
Constellation offers a wide range of benefits and rewards, designed to help our employees thrive professionally and personally. In addition to highly competitive salaries, we offer a bonus program, 401(k) with company match, employee stock purchase program; comprehensive medical, dental and vision benefits, including a robust wellness program; paid time off for vacation, holidays and sick days; and much more.
Expected salary range of $115,200 to $128,000, varies based on experience, along with comprehensive benefits package that includes bonus and 401(k).
PRIMARY PURPOSE OF POSITION
The Senior Cyber Security Vulnerability Management Analyst will be expected to conduct formal tests on web-based applications, networks, and other types of computer systems on a regular basis and determines/documents deviations from approved configuration standards and/or policies. This role will also be expected to work on physical security assessments of servers, computer systems, and networks. Along with these tests and assessments, this role will conduct regular security vulnerability assessments, scans from both a logical/theoretical standpoint and a technical/hands-on standpoint and recommend appropriate mitigations and/or remediation efforts. This role will enhance security services provided by the Cyber Vulnerability Detection and Management team. This is a hands-on role requiring expert technical skills across a wide range of IT/OT systems, applications, and infrastructure.
PRIMARY DUTIES AND ACCOUNTABILITIES
- Performing security architecture reviews of applications in design and production phases.
- Identifying security recommendations, potential threats and attacks to applications systems through threat modeling and vulnerability assessment.
- Consulting with developers on integrating security processes and tools into DevOps processes
- Working with application development teams to develop solutions to remediate security vulnerabilities.
- Improving secure coding practices, application security requirements, automation, training and metrics.
- Maintaining an active understanding of industry practices for secure software development.
- Play an active role in counseling and mentoring junior Cybersecurity team members.
- Understanding of or experience in Agile Development Environment.
- Problem solving and troubleshooting with eye for details.
- Good communication and presentation skills.
- Ability to work in both collaborative and independent work environments.
- Proven ability to work as DevSecOps practioner.
- Design automation workflows and capabilities in support of data collection, investigation and incident response.
- Develop threat hunting and data analysis strategy and capabilities.
- Identify and propose new technologies, methodologies and/or approaches to detecting malicious activity.
- Utilize indicators to scope and respond proactively to emerging threats.
- Design, build, configure, maintain and monitor cybersecurity threat defense capabilities and user access management.
MINIMUM QUALIFICATIONS
- Bachelors degree in Information Technology, Cybersecurity, or Computer science plus 5-8 years of relevant experience or, in lieu of a degree a minimum of 9-12 years of relevant experience.
- Experience in performing application security vulnerability assessment using either manual penetration testing and source code techniques or automated commercial SAST/DAST/IAST/SCA/OSA tools.
- Experience in performing security architecture/threat modeling.
- Experience in evaluating application security programs for clients and developing key elements of the program as part of the enhancement process and developing internal vulnerability assessment and management processes.
- Ability to learn and adapt to integrate application security to different CI/CD systems and apply automation as needed.
- Minimum 2 years of experience working in Agile development, application security, or DevOps role, with experience in the following technologies:
- Containers (Docker, Kubernetes, etc.)
- Infrastructure as code (Chef, Terraform, etc.)
- Continuous integration (Jenkins, Github, TeamCity etc.)
- Integration of Security testing tools like Fortify , ShiftLeft, Check Marx , Invicti, WhietSource into pipeline
- Defect tracking (Jira, ServiceNow etc.)
- Source code management (GitLab, GitHub, BitBucket, etc.)
- Developing enterprise applications or scripts for security testing (security as code)
- Cloud environment (AWS, Azure, GCP) and various Unix-like distributions
- Knowledge of networking, infrastructure and applications from a DevOps perspective with a security focus;
- Experience in programming or scripting languages;
- Broad knowledge of security control techniques and how they can be applied in a traditional IT environment as well as cloud-based systems
- Good technical knowledge of Microservice oriented solutions, APIs, Azure AD and common cloud authentication patterns
- Security Cert ( Sec +, CEH, CCSP, GSEC)
- Cloud DevOps Certification (Azure, GCP, AWS).
- Graduate degree in cyber security or related area of expertise.
- Relevant security certifications (CISSP, CISM, OSCP, GIAC).
- Demonstrated expert technical skills with various penetration testing technologies and tools.
- Demonstrated experience and subject matter knowledge in cyber and information security for applications, web architectures, operating systems, databases, and networks.
- Demonstrated experience and subject matter knowledge of SCADA, ICS, Distribution Automation, Smart Grid, DMS, and ECS systems architecture in relation to evaluating risk.
- Demonstrated experience and proven capabilities in network vulnerability assessment, application vulnerability assessment, application security architecture development, web application security, and application security testing.
- Demonstrated experience in addressing regulatory compliance for the security requirements in applicable laws and regulations, such as NERC CIP, SOX, PCI DSS, and HIPAA.
- Solid understanding and experience with security development lifecycle (SDL) processes for internally developed applications, including the web-based and Internet facing components.
- Demonstrated knowledge and experience in application security standards, methodologies, and technologies.
- Solid understanding to assess application and web architectures and operating systems for vulnerabilities and develop appropriate security countermeasures.
- Solid knowledge and experience with IT security aspects of operating systems, Active Directory, database (SQL) access, LDAP, Microsoft SharePoint, and web server configurations.
- Demonstrated experience in assessing and testing security applications and systems, such as Cisco firewalls, security appliances, IDS/IPS, SSL or TLS, IPSec, and web services security.
- Ability to demonstrate analytical skills, technical knowledge, and practical application of cyber and information security principles to business leaders and technical staff.
Salt Lake City, UT
We are the nation’s largest producer of carbon-free energy and the leading competitive retail supplier of power and energy products and services for homes and businesses across the United States. Headquartered in Baltimore, our generation fleet powers more than 20 million homes and is helping to accelerate the nation’s transition to clean energy with more than 32,400 megawatts of capacity and annual output that is 90 percent carbon-free.
Already the lowest carbon emitter of any major investor-owned U.S. generator, we have set a goal to eliminate 100 percent of our greenhouse gas emissions by leveraging innovative technology and enhancing our diverse mix of hydro, wind and solar resources, paired with the nation’s largest carbon-free nuclear fleet.
Our family of retail businesses serves approximately 2 million residential, public sector and business customers, including three-fourths of the Fortune 100. We are helping these customers reach their own climate goals through innovative clean energy solutions, including an upcoming, new 24/7 carbon-free energy matching product.
To further advance the fight against the climate crisis and accelerate the transition to a carbon-free future, we have set own ambitious climate goals, including:
- 95% carbon-free electricity by 2030
- 100% carbon-free electricity by 2040
- 100% reduction of operations-driven emissions by 2040
- Providing 100 percent of our business customers with customized data to help them reduce their own carbon footprints.
As we work towards these goals, we will continue to serve as a leading supporter of our communities through workforce development programs; philanthropy; volunteerism; and diversity, equity and inclusion initiatives; while maintaining the highest standards of corporate governance.