Vulnerability Assessment – Static Analysis

Citi - Township of Warren, NJ3.9

Primary Location: United States,New Jersey,Warren
Other Location: United States,Texas,Irving; United States,Florida,Fort Lauderdale
Education: Bachelor's Degree
Job Function: Technology
Schedule: Full-time
Shift: Day Job
Employee Status: Regular
Travel Time: No
Job ID: 18064830


The duties include interfacing with development organizations to onboard applications and performance secure code reviews using commercial static analysis tools like IBM AppScan and HP Fortify. In addition, this individual will be able execute binary static testing tools to identify third party component vulnerabilities. Integration of security tools with build environments to ensure iterative scanning during the Secure-SDLC. Commercial and open source vulnerability assessment tools/utilities are leveraged during these assessments. The majority of the team has achieved industry standard security certifications (CISSP, CEH, GIAC, etc) over time and we are looking for individuals who are eager to learn. The duties will include providing source code review services through a comprehensive testing process, as well as identifying weaknesses and vulnerabilities within the system and proposing/implementing countermeasures. Integration of security tools with build environments to ensure iterative scanning during the Secure-SDLC. Commercial and open source vulnerability assessment tools/utilities are leveraged during these assessments. In addition, the role will be responsible for
  • Validating automated testing results and prioritize based on overall risk
  • Verify findings as needed with application development team
  • Perform application scanning using binaries
  • Perform manual source code review for security vulnerabilities
  • Write formal security assessment report for each application, using our company's standard reporting format
  • Participate in conference calls with engineering team to ensure proper scan coverage and effective results
  • Report directly to management for any major flaws identified.
  • Re-run the scans on weekly basis
  • Participate in conference calls with application team to help understand the security risk, if require
About Citi

Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.Our core activities are safeguarding assets, lending money, making payments and accessing the capital markets on behalf of our clients.

Citi’sMission and Value Propositionexplains what we do and Citi Leadership Standardsexplain how we do it. Ourmissionis to serve as a trusted partner to our clients by responsibly providing financial services that enable growth and economic progress. We strive to earn and maintain our clients’ and the public’s trust by constantly adhering to the highest ethical standards and making a positive impact on the communities we serve. Our Leadership Standards is a common set of skills and expected behaviors that illustrate how our employees should work every day to be successful and strengthens our ability to execute against our strategic priorities.

Diversity is a key business imperative and a source of strength at Citi. We serve clients from every walk of life, every background and every origin. Our goal is to have our workforce reflect this same diversity at all levels. Citi has made it a priority to foster a culture where the best people want to work, where individuals are promoted based on merit, where we value and demand respect for others and where opportunities to develop to are widely available to all.


  • Pre-requisites for this position are a Bachelor's Degree with 5-7 years' experience in web development or application code review.
  • A basic understanding of security, web-based and infrastructure vulnerabilities is required.
  • Understanding and debugging application build/compilation related errors is required. Experience with Java IDE's - Knowledge of web servers, application servers, build tools, etc.
  • Experience conducting vulnerability assessments and articulating security issues to technical and non-technical audience.
  • Understanding of Checkmarx, AppScan Source, Fortify, Veracode, Sonatype or Blackduck platform is a plus
  • Familiarity with mobile platforms and languages including Java for Android, Objective-C, Swift, and Kotlin.
  • Development knowledge of Java and/or .NET as well as modern JavaScript frameworks (AngularJS, Node.js, React js), Python, JSON, Lambda, AWS, or other cloud environment languages is desired.
  • Experience with Agile SDLC environments and previous exposure to Static and/or Dynamic Application Security Testing tools is strongly preferred.
  • Knowledge of tools and processes used to expose common vulnerabilities and implement countermeasures is expected.
  • Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.
Industry-accredited security certifications will be required (the candidate must have or be willing to obtain all of the following certifications – GIAC GXPN, GPEN, GCIH, CISSP, and CEH). Knowledge of tools and processes used to expose known and undocumented vulnerabilities in various different systems.