Senior IT Security Analyst (MI DevSecOps Engineer)



Job Family


For over 80 years, GfK has been a reliable and trusted insight partner for the world’s biggest companies and leading brands who make a difference in every consumer’s life - and we will continue to build on this. We connect data, science and innovative digital research solutions to provide answers for key business questions around consumers, markets, brands and media. With our headquarters in Germany and a presence in around 60 countries worldwide, you benefit from our global company with a diverse community of ~9,000 employees.

Harnessing the power of our workforce, the greatest asset we have is our people. As part of GfK, you can take your future into your own hands. We value talent, skills and responsibility and support your development within our international teams. We are proud of our heritage and our future: Currently we are in the latter stages of a transformational journey from a traditional market research company to a trusted provider of prescriptive data analytics powered by innovative technology. This is only possible with extraordinary people and this is why we are looking for YOU to help create our future. For our employees as well as for our clients we pursue one goal: Growth from Knowledge!

Job Description

As a Senior DevSecOps Engineer/Senior IT Security Analyst within a Client Solution Group (CSG), you will be responsible for embedding security practices into the SDLC and creating a security culture within CSG engineering teams. You will work closely with the central Information Security team to translate security requirements into real-world deliverables. “Shift left” will be your mantra. The Senior DevSecOps Engineer/Senior IT Security Analyst will be responsible for deployment & support of security solutions and provide guidance on security in web applications, APIs and public cloud technologies.

As a Senior IT Security Analyst​ you will have the following key accountabilities:

  • Embed security culture within the CSG engineering teams

  • “Shift left” and automate security wherever possible

  • Work with engineering squads (Developers, SREs & QAs) to ensure that projects are secure on delivery

  • Provide KPIs/metrics to ensure testing coverage and vulnerabilities are remediated within agreed SLAs

  • Integrate security tools into the SDLC

  • Build/maintain/support security testing tools

  • Manually validate findings from security scans to eliminate false positives

  • Work in a fast-paced environment to identify and assist troubleshooting of vulnerabilities identified during application vulnerability scans

  • Explain risk and criticality of identified vulnerabilities to business owners/technical teams and advise on remediation activities, including attending development/engineering stand-ups

  • Work with business application owners/technical engineering teams on remediation plans and assist teams on what to fix and how to fix it

  • Perform threat modelling on web applications, public cloud and containerized environments

  • Run static analysis and perform code/third-party library reviews to identify security weaknesses

  • Conduct risk assessments of web applications

  • Support security incidents involving Cloud environments and web services

  • Assist with management and tuning of the Web Application Firewall (WAF)

  • Assist maintaining a CMDB of web applications and performing risk assessments of the applications

  • Contribute to the application security framework

  • Part of the Security Community of Practice (CoP)

  • Take ownership of additional duties as required

Now that you know what Senior IT Security Analyst​ does, what skills, qualifications and experience do you need?   

  • Experience working with Developers, DevOps, and Engineering teams in a dynamic environment to promote/implement the DevSecOps program throughout the organization

  • Minimum of 5 years’ experience of relevant IT experience, with at least 3 years devoted specifically to DevSecOps

  • Educated in Cyber Security/Computer Studies/Engineering

  • Public cloud security certificate from AWS/GCP preferred

  • SANS training or GIAC/OSCP/OSWE desirable

  • Experience working in an Agile/Sprint based delivery environment (using Jira/Confluence or other bug tracking tools) would be an advantage in this role

  • Prior DevOps/Development/QA experience would be beneficial

  • Full understanding of web stack, web security and common vulnerabilities (e.g. SQLi, XSS etc.)

  • Development skills to facilitate code reviews or tool development

  • A good understanding of securing public cloud technologies (AWS & GCP)

  • Ability to work with APIs and plugins to integrate security tools into established CI/CD pipelines

  • DevOps Automation using Jenkins, Puppet, Ansible, GitLab etc

  • Experience with securing container technologies including Docker and Kubernetes

  • Experience integrating DAST, SAST, IAST & SCA tools into the SDLC

  • Hands-on experience of infrastructure as code and Hashicorp Vault

  • Understanding of network devices like firewalls, routers, etc. and platforms such as Windows, Unix, etc

  • Proficiency in Bash, Python, Perl, PowerShell or other scripting languages

  • Ability to review and analyze vulnerability data to identify security risks to the organization's network, infrastructure, and application's and determine any reported vulnerabilities that are false positives.

  • Capability to prepare security vulnerability and risk management reports for management.

  • Leadership and Teaming skills to coordinate remediation of vulnerabilities within established timeframes.

  • Strong knowledge of OWASP

  • Ability to think like a hacker

  • Be able to build good working relationships with both technical and business stakeholders, gaining their respect and trust based on your knowledge and professionalism

  • Have the ability and desire to quickly learn new technologies

  • Excellent communication skills and ability to work with global counterparts

  • Ability to work in a fast-paced environment

  • Promote DevSecOps, leading by example to change existing systems and practices for the better

  • Good troubleshooting skills

  • Forward looking approach to addressing existing & upcoming security challenges

Join our team and benefit from the following advantages:

  • Exciting work environment that brings people together

  • Use of the latest digital technologies

  • Initial and ongoing trainings to support your development

  • Opportunities for personal and professional growth

  • Competitive remuneration and bonus scheme linked to individual performance and company results

  • 3 additional non-working days annually

  • Food vouchers

  • Health insurance

  • Discount program with external vendors

  • Eco friendly travelers are welcome to the office – parking places for bikers and free card for public transportation are available to all employees

  • Variety of sport activities such as football and traditional Bulgarian dances

  • Last but not least – GfK Sofia office is located close to the city centre and easily accessible from any point by public transportation – 47A Tsarisgradsko Shose Blvd

All documents will be treated in the strictest confidentiality.
Only short-listed candidates will be invited for an interview.

We offer an exciting work environment that brings people together. We encourage an entrepreneurial and innovative spirit. We make use of the latest digital technologies. We are looking for self-starters, who accept challenges and create solutions.

Can there be a better place to take center stage in the digital revolution? We are excited to getting to know you!

Posted: 43 days ago

City: Kuala Lumpur, Sofia

Work Area: IT

Job Time: Full Time

Requisition ID: R00008575