Application Security Engineer (P3), Vienna, Austria
Organization: International Atomic Energy Agency (IAEA)
City: Vienna, Austria
Office: IAEA Vienna, Austria
Closing date: Saturday, 21 November 2020
Application Security Engineer(P3)
( 2020/0294 (014263) )
Organization: MTIT-Security Systems Unit
Primary Location: Austria-Vienna-Vienna-IAEA Headquarters
Job Posting: 2020-11-13, 2:12:41 PM
Contract Type : Fixed Term
Probation Period : 1 Year
This is a re-opening of the vacancy. Candidates who already applied do not need to re-submit an application.
The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA’s ICT infrastructure comprises hardware and software platforms, and cloud and externally-hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.The Infrastructure Services Section (ISS) is responsible for implementing, maintaining, and administering the ICT systems and services for high availability; designing, implementing, and operating IT security services; and managing the data centre. The platforms include Microsoft Windows servers, Linux servers, Oracle EBS infrastructure, data storage, and transmission networks, serving more than 2500 staff, as well as over 10000 external users around the world. The Section includes three Units: Network and Telecommunications, Enterprise Systems, and Security Systems.
The Application Security Engineer leads application security and security threat research activities to strengthen IAEA information security and DevOps practices. He/she participates in development, delivery, and administration the comprehensive application security program for the IAEA. A successful candidate will be working with software development and security peers supporting day-to-day security DevOPS activities including but not limited to, Static Application Security testing (SAST) Dynamic Application Security Testing, (DAST), Web Application Firewall (WAF), API security, security threat research as well as investigations of possible application security incidents.
The Application Security Engineer is (a) a technical specialist contributing to the design and formulation of security measures, procedures and standards on all aspects of application security; (b) a solution provider, coordinating applications security service delivery; (c) a team member actively involved in planning, implementing, testing and deployment of application security controls; and (d) a security threat researcher and incidents handler.
Functions / Key Results Expected
Perform application security analysis, including code and architecture review, analysis of data flows and penetration testing and make recommendations for corrective actions.
Actively contribute to top-notch R&D initiatives related to data analysis, investigations, custom applications development, as well as intelligence collection & analysis.
Participate in threat research, vulnerability discovery and investigations.
Implement and administer preventative and monitoring security controls for the applications environment.
Identify application security issues and risks, and work with development team to define mitigation plans.
Researching and evaluating new and emerging security technologies, features, and products.
Provide substantive inputs and suggestions on all aspects related to the applications design, vulnerabilities testing, security infrastructure, security plans and services.
Coordinate application security services, installation, maintenance based on from external vendors and other UN agencies services.
Prepare written reports using data and statistics to contribute towards efficient, effective and secure software deployment.
Provide technical inputs and guidance on deficiency and effectiveness of application security control deployment and usage.
Create and deliver applications security training to peers and junior staff.
Competencies and Expertise
Planning and Organizing
Plans and organizes his/her own work in support of achieving the team or Section’s priorities. Takes into account potential changes and proposes contingency plans.
Communicates orally and in writing in a clear, concise and impartial manner. Takes time to listen to and understand the perspectives of others and proposes solutions.
Takes initiative in defining realistic outputs and clarifying roles, responsibilities and expected results in the context of the Department/Division’s programme. Evaluates his/her results realistically, drawing conclusions from lessons learned.
Actively contributes to achieving team results. Supports team decisions.
Helps clients to analyse their needs. Seeks to understand service needs from the client’s perspective and ensure that the client’s standards are met.
Commitment to continuous process improvement
Plans and executes activities in the context of quality and risk management and identifies opportunities for process, system and structural improvement, as well as improving current practices. Analyses processes and procedures, and proposes improvements.
Ensures that work is in compliance with internationally accepted professional standards and scientific methods. Provides scientifically/technically accepted information that is credible and reliable.
Expertise in threat research as well as implementation and maintenance of technical application security controls.
Information Security and Risk Management
Practical expertise in managing security vulnerabilities, threats, and risks according to the beet practices.
Proven ability to use one or more of the programming languages: (Java/Ruby/Python/Perl) and deep understanding of Security Software Development Life Cycle and DevOps principles.
Expertise in creating technical documentation.
Understanding of Web API development, and security threats, and remediation best practices.
Qualifications, Experience and Language skills
University degree in Computer Science, IT Security, Information Security or a closely related field.
Internationally recognised security certification, such as EC-Council |CASEEC-Council E|CIH, Offensive Security OSCP, CSSLP would be an advantage.
Minimum 5 years of relevant technical experience of which at least 2 years of experience in one or more of the following domains: application and software security, technical threat research, penetration testing, secure software development.
Tags architect civil servants communication technology computer science data analysis data storage devops information security information systems information technology library linux oracle prince2 programming languages python risk management service management software engineering technical writing web development web services windows server
Foundation in, and in-depth technical knowledge of, security engineering, computer and network security, authentication, security protocols and applied cryptography.
Demonstrated experience with tools and techniques used for software security analysis, including penetration testing, static and dynamic analysis.
Experience with public cloud environments and technologies, including Amazon Web Services, MS Azure, MS DevOps.
Experience with Python, Perl, or other scripting languages.
Excellent oral and written command of English. Knowledge of other official IAEA languages (Arabic, Chinese, French, Russian and Spanish) is an asset.
The IAEA offers an attractive remuneration package including a tax-free annual net base salary starting at US $60962 (subject to mandatory deductions for pension contributions and health insurance), a variable post adjustment which currently amounts to US $ 25726*, dependency benefits, rental subsidy, education grant, relocation and repatriation expenses; 6 weeks‘ annual vacation, home leave, pension plan and health insurance
Applications from qualified women and candidates from developing countries are encouraged
Applicants should be aware that IAEA staff members are international civil servants and may not accept instructions from any other authority. The IAEA is committed to applying the highest ethical standards in carrying out its mandate. As part of the United Nations common system, the IAEA subscribes to the following core ethical standards (or values): Integrity, Professionalism and Respect for diversity. Staff members may be assigned to any location. The IAEA retains the discretion not to make any appointment to this vacancy, to make an appointment at a lower grade or with a different contract type, or to make an appointment with a modified job description or for shorter duration than indicated above. Testing may be part of the recruitment process