Software Security Analyst I
About Risk Based Security:
Risk Based Security (https://www.riskbasedsecurity.com/) is recognized as one of the 500 hottest and most innovative cyber security companies to watch in 2019. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat and vulnerability intelligence knowledge bases and risk ratings available. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one easy to use web portal.
About the Role:
Risk Based Security, Inc. was founded to equip organizations with vulnerability intelligence and data breach intelligence to better assist risk management methodologies and software vulnerability research. We are recognized as a premier security and threat intelligence firm by providing innovative, action enabling, predictive, and evidence-based risk management solutions to our clients. www.riskbasedsecurity.com.
We are looking to add a new Security Analyst to our Vulnerability Intelligence Team. Our Vulnerability Database offering, VulnDB, provides the most timely, highest quality, and most comprehensive vulnerability intelligence solution in the security market. This position is not eligible for remote work and will work out of our Richmond, VA office.
● Analyze product changelogs, bug reports, pull requests, commit histories, and vulnerability reports from researchers and developers to identify security issues and extract relevant information. (RBS provides data sources)
● Generate vendor and product metadata to enhance customer use of data.
● Provide the first level of analysis and review of potential security issues, weeding out reports that do not meet criteria for inclusion in VulnDB.
● Initially pass the identified security issues up the chain for further validation and approval via basic data entry, while learning more about vulnerabilities and our processes of customer monitoring requests.
● Help maintain a database of customer product monitoring requests, their status, and ultimate disposition.
● Once fully trained, more responsibility for analysis, validation, and data entry through ongoing training.
What you must bring to the job:
● A basic understand of the developer process, primarily through portals such as GitHub or SourceForge. This includes bug tickets, pull request, commits, and software releases.
● A basic understanding of software vulnerabilities such as race conditions (TOCTTOU), SQL injection, path traversals, command injection, XSS as well as the ability to differentiate between an out-of-bounds read and a buffer overflow by reading e.g. ASAN output. This includes a firm grasp on the idea of crossing privilege boundaries and how that defines a vulnerability.
● A basic understanding of a wide variety of software such as Windows desktop software, how a CMS works, differences in privilege levels, web browsers, web browser plugins, and a solid grasp of HTML.
● Ability to commit to an agreed schedule of availability of 40 hours per week during mostly business hours, with some flexibility! Self-motivation and the ability to work independently, once trained. Experience working with a great deal of autonomy.
● Reading comprehension, great attention to detail, and deductive reasoning is a must.
● Excellent communication skills, including email etiquette, and the ability to ask for help or guidance when needed.
● A desire to keep learning new things and willingness to offer new ideas for improving RBS services.
What would be great to have:
● Security industry experience, industry familiarity, or at least intellectual curiosity in the field of Information Security.
● Some software coding experience in e.g. C/C++, Java, PHP, Python, Ruby, Perl is valuable!
● Certifications such as Network+, Security+, GIAC Security Essentials, or even a CISSP.
● University or military course covering security principles and practices.
● Network scanning and/or web application testing familiarity.
● Experience running any operating system other than Microsoft Windows or Apple macOS, unless you appreciate the underlying Unix-based operating system on macOS!
What we will provide:
- Full training on where to look and what to look for, how it wraps into our service, and an understanding of high-end vulnerability intelligence solutions.
- All the necessary hand holding and availability for Q&A until you are fully proficient in your duties and feel comfortable. (Generally, within the first two to three weeks)
- Encouragement and training to move beyond the entry level position.
- Competitive Salary
- Paid Vacation and Holidays
- Company-paid Life and Disability Insurance
- Retirement plan with company match
- Healthcare Insurance Eligibility
- Eligible for a yearly bonus based on individual and company performance
- Foosball Table, Snacks, Beverages