Senior Vulnerability Code Analyst

We are seeking an experienced Senior Vulnerability Code Analyst with deep expertise in Ruby on Rails to join our security team. This role focuses on identifying and analyzing security vulnerabilities in application code, conducting comprehensive security assessments, and working closely with development teams to ensure secure software delivery.

Core Responsibilities:

• Vulnerability Code Analysis: Perform in-depth security code reviews and vulnerability assessments of Ruby on Rails applications, identifying security flaws and weaknesses before production deployment
• Security Findings Management: Document, prioritize, and track security vulnerabilities, providing detailed remediation guidance and working with development teams through the fix verification process
• Static & Dynamic Analysis: Execute and manage automated security scanning tools (SAST, DAST, SCA) and perform manual code reviews to identify complex security issues that automated tools may miss
• Secure Code Consultation: Serve as a security advisor to development teams, providing guidance on secure coding practices, vulnerability remediation, and security design patterns
• Threat Modeling: Collaborate with product and engineering teams to conduct threat modeling exercises and identify potential security risks during the design and development phases
• Cloud Security Analysis: Review and analyze security configurations in AWS cloud environments, ensuring compliance with security standards and best practices
• Security Assessment Reporting: Prepare comprehensive vulnerability assessment reports with risk ratings, technical details, and actionable remediation recommendations for technical and management audiences
• Continuous Improvement: Develop and refine vulnerability analysis processes, security testing methodologies, and automation scripts to improve efficiency and coverage

Required Qualifications:

Experience:

• 5+ years of experience in vulnerability analysis, application security, security code review, or penetration testing
• Proven expertise in analyzing Ruby on Rails applications for security vulnerabilities
• Demonstrated experience working with software development teams in Agile environments
• Track record of successfully identifying, documenting, and remediating security vulnerabilities

Technical Expertise:

Programming & Scripting:

• Strong proficiency in Ruby programming language and Ruby on Rails framework
• Experience with additional languages such as Python, PHP, Bash, or PowerShell for security automation and analysis

Vulnerability Analysis Tools:

• Expert-level experience with static application security testing (SAST) tools such as Fortify, Checkmarx, Veracode, or SonarQube
• Proficiency with dynamic application security testing (DAST) tools including Burp Suite Professional, OWASP ZAP, or similar
• Experience with software composition analysis (SCA) tools for dependency vulnerability scanning
• Familiarity with fuzzing tools and techniques for discovering edge-case vulnerabilities

Security Knowledge:

• Deep understanding of common web application vulnerabilities (OWASP Top 10, CWE/SANS Top 25)
• Expert knowledge of security vulnerabilities specific to Ruby on Rails (mass assignment, unsafe deserialization, SQL injection, XSS, CSRF, etc.)
• Strong grasp of secure coding principles and defensive programming techniques
• Knowledge of authentication and authorization vulnerabilities, cryptographic weaknesses, and session management issues
• Understanding of API security risks and testing methodologies (REST, GraphQL)

Cloud Security:

• Hands-on experience with AWS security services including Security Hub, GuardDuty, Inspector, IAM, and KMS
• Knowledge of AWS cloud security best practices and common misconfigurations
• Experience analyzing Infrastructure-as-Code (Terraform, CloudFormation) for security issues
• Understanding of cloud-native application security considerations

Vulnerability Management:

• Experience with vulnerability management platforms and workflows
• Knowledge of risk assessment methodologies and vulnerability scoring (CVSS)
• Familiarity with coordinated vulnerability disclosure processes
• Understanding of security patch management and remediation tracking

Compliance & Standards:

• Working knowledge of industry security standards and frameworks (NIST, OWASP ASVS, SANS)
• Experience with compliance requirements such as HIPAA, SOC 2, or PCI-DSS
• Familiarity with secure SDLC practices and security gate processes

Preferred Qualifications:

Certifications:

• Offensive Security Certified Professional (OSCP)
• GIAC Web Application Penetration Tester (GWAPT)
• Certified Secure Software Lifecycle Professional (CSSLP)
• AWS Certified Security – Specialty
• Certified Ethical Hacker (CEH)
• GIAC Certified Incident Handler (GCIH)

Additional Skills:

• Experience with penetration testing and red team operations
• Knowledge of exploit development and proof-of-concept creation
• Familiarity with reverse engineering and binary analysis
• Experience with CI/CD pipeline security integration
• Container and Kubernetes security knowledge
• Participation in bug bounty programs or vulnerability research
• Contributions to open-source security tools or projects

Key Competencies:

• Analytical Mindset: Exceptional analytical and critical thinking skills with meticulous attention to detail in identifying subtle security flaws
• Technical Communication: Strong ability to articulate complex security vulnerabilities and remediation steps clearly to both technical developers and non-technical stakeholders
• Collaborative Approach: Excellent interpersonal skills with the ability to build trusted relationships with development teams and influence security improvements
• Problem-Solving: Creative and persistent approach to vulnerability discovery and security problem resolution
• Time Management: Ability to manage multiple concurrent security assessments and prioritize effectively based on risk
• Continuous Learning: Passion for staying current with emerging vulnerabilities, attack techniques, and security research
• Documentation Skills: Strong written communication skills for creating detailed vulnerability reports and security documentation
• Self-Motivation: Independent worker who can drive security initiatives with minimal supervision