Consultant – Application Security Analyst, Local (HQ Gaza)

Result of Service

UNRWA hosts 50 web applications and is in the process of migrating many of them to Azure. In addition, the organization runs multiple software development projects, and several big initiatives are planned.

UNRWA Information Management and Technology Department (IMTD) is seeking an Application Security Analyst who will support software development in UNRWA.

The incumbent will report administratively to the Head of the Information Technology Service Centre at the Headquarters in Gaza and technically to the Head of Information Security Office at the Headquarters in Amman.

• Please indicate if you are a Palestinian Refugee and provide your registration card number if applicable.

Work Location

Gaza

Expected duration

from 4 to 11 month

Duties and Responsibilities

The position will be focused on vulnerability management, threat modelling, Azure, and automation. Incumbent will work on the following activities:

• Conducting vulnerability assessments:
Identify security vulnerabilities and weaknesses in applications and systems by performing vulnerability assessments. You will need to use a variety of tools and techniques, such as penetration testing, code analysis, and web application scanning, to identify and analyze potential threats.

• Developing security policies and procedures:
Develop and document policies and procedures to improve the security posture of applications and systems. Incumbent may also help develop security standards and guidelines for development teams to follow.

• Recommending security solutions:
Identify security solutions and technologies to improve the security posture of applications and systems. Incumbent will evaluate new security technologies and make recommendations to management for implementation.

• Collaborating with development teams:
Work closely with development teams to ensure that security is integrated into the software development life cycle (SDLC). Incumbent may provide training and guidance to developers on secure coding practices and help them understand the implications of security vulnerabilities.

• Managing security incidents:
Manage security incidents and responding to security breaches. Incumbent will need to work closely with other security teams, such as incident response and forensics, to investigate security incidents and take corrective actions.
• Use threat modeling, vulnerability scanning, code testing, and industry best practices to reduce and eliminate attack vectors and vulnerabilities in our applications, processes, and systems prior to deployment to production.
• Support Application Development teams with results from scans through reviewing findings with Application Teams and document and tracking security findings through remediation.
• Conduct web application penetration testing using industry standard tools and techniques.
• Analyze, evaluate, and prioritize findings to provide recommendations to improve the security of the application.
• Provide detailed documents on findings that can communicate to technical and non-technical audiences.
• Provide guidance to other members of the security team on web application security best practices.
• Support the implementation and configuration of application security tools.
• Partnering with application teams to assist with remediation of security gaps.
• Document findings and remediation recommendations and collaborate with consulting team and customers to ensure vulnerability findings are successfully and efficiently addressed.
• Collaborating across Information Security to advocate for Application Security
• Support the evaluation of new technologies and programming practices to facilitate application team secure adoption across the enterprise.
• Lead and facilitate threat modeling exercises to ensure optimized security design decisions are being made.
• Supporting software development projects on cybersecurity
• Preparing training materials on cybersecurity for developers
• Analysis of SonarQube, OWASP Tenable reports
• Automation of security processes using Power Automate
• Security of applications in Azure
• Performs other related duties as required.

Qualifications/special skills

Academic Qualifications:

A university degree from an accredited educational institution in information technology, information management, Information systems, computer science, computer engineering, Software engineering, Business Administration, Management, or other related disciplines.

Experience:

• A minimum of 3 years experience for a bachelor's degree and 1year for a master's degree in web application vulnerabilities and exploitation techniques.
• Familiarity with OWASP Top 10 and other industry standard security frameworks.
• Proficient in the use of web application security testing tools such as Burp Suite, OWASP ZAP, and others.
• Experience with Software Security Architecture and Design, SDLC, CI/CD, and the ability to clearly articulate best practices for application security.
• Ability to perform threat modeling and design reviews to assess security implications and requirements for introduction of modern technologies.
• Application development background in Java/.Net or similar with excellent understanding in mitigating OWASP Top 10 attacks.
• Good understanding of vulnerability management
• Experience writing simple scripts in Power Automate
• Experience in analyzing SonarQube and Tenable reports.
• Good understanding of secure coding and security best practices

DESIRABLE QUALIFICATIONS

• Azure certifications, e.g. AZ-900 Microsoft Azure Fundamentals
• Hands-on experience with OWASP ZAP and Burp Suit

Competencies:

• Applying technical expertise.
• Strong ability to drive for results, to manage and deliver against multiple priorities on time.
• Strong analytical and critical thinking skills.
• Strong interpersonal and communication skills; verbal and written.
• Flexibility and adaptability.

Language:

• Fluency in spoken and written English.


Service Conditions

• The duration of the consultancy is 4 to 11 months, extendable according to performance and availability of funds.
• Remuneration for this consultancy is $1,410.70 monthly, and it will depend on the qualifications and experience of the candidate.
• The consultant will be based in Gaza;


DELIVERABLES

• Automate Tenable.io scans and do Vulnerability Management Using Power Automate
• Developing security policies for Web Applications and create Threat Modelling
• Develop Guides and training materials for developers to help them fix vulnerabilities, teach them about security best practices and for training sessions.
• Review Tenable Scan results and other scanning tools and evaluate criticalities, exclude false positives and generate reports.

Languages

• Fluency in spoken and written English.

No Fee

THE UNITED NATIONS DOES NOT CHARGE A FEE AT ANY STAGE OF THE RECRUITMENT PROCESS (APPLICATION, INTERVIEW MEETING, PROCESSING, OR TRAINING). THE UNITED NATIONS DOES NOT CONCERN ITSELF WITH INFORMATION ON APPLICANTS’ BANK ACCOUNTS.