Cyber Security Analyst – Threat Modeling

Cyber Security Analyst – Threat Modeling

Cyber Security Analyst – Threat Modeling is responsible for performing security assessments for applications, infrastructure and emerging technologies and guiding product / service teams in secure design of IT systems.

Position responsibilities include:

• Perform threat modeling for Enterprise and SaaS IT assets.
• Gain understanding of the business process, application architecture, IT infrastructure and interaction with external entities.
• Work with business, application, and supplier teams to perform in-depth threat assessments by leveraging methods such as STRIDE, VAST, Attack Tree etc.
• Provide subject matter expertise in assessing potential security threats in the application architecture and evaluate security controls to mitigate threats.
• Assess the risk of identified threats by evaluating likelihood and impact, determine countermeasures and remediation.
• Apply Information Security Policy and industry security standards (E.g.: OWASP, NIST, CIS etc.,) and guide application teams to help build secure products.
• Follow security governance process for issue tracking and closure. Ensure that security improvement actions are evaluated, validated, and implemented as required.
• Provide feedback for improving Threat Modeling tools and processes.
• Leverage industry best practices to continually improve process maturity.
• Promote awareness of security issues among application teams and business teams through training and awareness programs.
• Stay updated through continuous learning of emerging technologies like LLM, ZTNA, LCNC etc.

Skillset required:

• Experience in handling web application security risks - OWASP Top-10 E.g.: Injection attacks, buffer overflow, cross-site scripting etc.
• Skill to provide security controls guidance related to data usage, processing, storage, and transmission.
• Knowledge of different Threat Modeling methodologies (E.g.: STRIDE, VAST, Attack Tree etc.).
• Knowledge of security assessment, risk management processes, cyber security threats, vulnerabilities, attack methods and techniques.
• Knowledge of organization's information security policies, standards, and procedures.
• Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• Knowledge of network access, cryptography, cryptographic key management concepts, identity and access management (e.g.: OAuth, OpenID, SAML).
• Knowledge of cloud security and API security.
• Knowledge of security assessment for Microservices architecture, Databases (SQL/NoSQL), Google Cloud Platform resources like cloud storage, Redis Pub/Sub and Cloud Run.
• Knowledge of computer networking and network security architecture concepts including topology, protocols, components, and principles.
• Knowledge of laws, regulations, policies, and ethics related to cybersecurity and privacy.
• Ability to evaluate information for reliability, validity, and relevance.
• Excellent analytical, communication, documentation, and presentation skills.
• Knowledge of emerging technologies like AI/ML, Zero Trust, LCNC etc. and willingness to learn new technologies and concepts.
• Knowledge of Agile practices and SDLC
• Self-Starter who can work in ambiguous situations and drive to a solution.
• Strong interpersonal skills, including ability to educate and influence.

Qualifications required:

• Bachelor's degree in computer science, Cyber Security, or related field of study
• 2+ years of experience in Cyber Security or related fields of IT.
• Knowledge on Security Framework such as NIST CSF, ISO27001, OWASP Top-10 etc.
• Cyber security certifications like CISSP, OSCP, CEH, Pentest+ are highly desirable.