For over 80 years, GfK has been a reliable and trusted insight partner for the world’s biggest companies and leading brands who make a difference in every consumer’s life - and we will continue to build on this. We connect data, science and innovative digital research solutions to provide answers for key business questions around consumers, markets, brands and media. With our headquarters in Germany and a presence in around 60 countries worldwide, you benefit from our global company with a diverse community of ~9,000 employees.
Harnessing the power of our workforce, the greatest asset we have is our people. As part of GfK, you can take your future into your own hands. We value talent, skills and responsibility and support your development within our international teams. We are proud of our heritage and our future: Currently we are in the latter stages of a transformational journey from a traditional market research company to a trusted provider of prescriptive data analytics powered by innovative technology. This is only possible with extraordinary people and this is why we are looking for YOU to help create our future. For our employees as well as for our clients we pursue one goal: Growth from Knowledge!
As a Senior DevSecOps Engineer/Senior IT Security Analyst within a Client Solution Group (CSG), you will be responsible for embedding security practices into the SDLC and creating a security culture within CSG engineering teams. You will work closely with the central Information Security team to translate security requirements into real-world deliverables. “Shift left” will be your mantra. The Senior DevSecOps Engineer/Senior IT Security Analyst will be responsible for deployment & support of security solutions and provide guidance on security in web applications, APIs and public cloud technologies.
As a Senior IT Security Analyst you will have the following key accountabilities:
Embed security culture within the CSG engineering teams
“Shift left” and automate security wherever possible
Work with engineering squads (Developers, SREs & QAs) to ensure that projects are secure on delivery
Provide KPIs/metrics to ensure testing coverage and vulnerabilities are remediated within agreed SLAs
Integrate security tools into the SDLC
Build/maintain/support security testing tools
Manually validate findings from security scans to eliminate false positives
Work in a fast-paced environment to identify and assist troubleshooting of vulnerabilities identified during application vulnerability scans
Explain risk and criticality of identified vulnerabilities to business owners/technical teams and advise on remediation activities, including attending development/engineering stand-ups
Work with business application owners/technical engineering teams on remediation plans and assist teams on what to fix and how to fix it
Perform threat modelling on web applications, public cloud and containerized environments
Run static analysis and perform code/third-party library reviews to identify security weaknesses
Conduct risk assessments of web applications
Support security incidents involving Cloud environments and web services
Assist with management and tuning of the Web Application Firewall (WAF)
Assist maintaining a CMDB of web applications and performing risk assessments of the applications
Contribute to the application security framework
Part of the Security Community of Practice (CoP)
Take ownership of additional duties as required
Now that you know what Senior IT Security Analyst does, what skills, qualifications and experience do you need?
Experience working with Developers, DevOps, and Engineering teams in a dynamic environment to promote/implement the DevSecOps program throughout the organization
Minimum of 5 years’ experience of relevant IT experience, with at least 3 years devoted specifically to DevSecOps
Educated in Cyber Security/Computer Studies/Engineering
Public cloud security certificate from AWS/GCP preferred
SANS training or GIAC/OSCP/OSWE desirable
Experience working in an Agile/Sprint based delivery environment (using Jira/Confluence or other bug tracking tools) would be an advantage in this role
Prior DevOps/Development/QA experience would be beneficial
Full understanding of web stack, web security and common vulnerabilities (e.g. SQLi, XSS etc.)
Development skills to facilitate code reviews or tool development
A good understanding of securing public cloud technologies (AWS & GCP)
Ability to work with APIs and plugins to integrate security tools into established CI/CD pipelines
DevOps Automation using Jenkins, Puppet, Ansible, GitLab etc
Experience with securing container technologies including Docker and Kubernetes
Experience integrating DAST, SAST, IAST & SCA tools into the SDLC
Hands-on experience of infrastructure as code and Hashicorp Vault
Understanding of network devices like firewalls, routers, etc. and platforms such as Windows, Unix, etc
Proficiency in Bash, Python, Perl, PowerShell or other scripting languages
Ability to review and analyze vulnerability data to identify security risks to the organization's network, infrastructure, and application's and determine any reported vulnerabilities that are false positives.
Capability to prepare security vulnerability and risk management reports for management.
Leadership and Teaming skills to coordinate remediation of vulnerabilities within established timeframes.
Strong knowledge of OWASP
Ability to think like a hacker
Be able to build good working relationships with both technical and business stakeholders, gaining their respect and trust based on your knowledge and professionalism
Have the ability and desire to quickly learn new technologies
Excellent communication skills and ability to work with global counterparts
Ability to work in a fast-paced environment
Promote DevSecOps, leading by example to change existing systems and practices for the better
Good troubleshooting skills
Forward looking approach to addressing existing & upcoming security challenges
Join our team and benefit from the following advantages:
Exciting work environment that brings people together
Use of the latest digital technologies
Initial and ongoing trainings to support your development
Opportunities for personal and professional growth
Competitive remuneration and bonus scheme linked to individual performance and company results
3 additional non-working days annually
Discount program with external vendors
Eco friendly travelers are welcome to the office – parking places for bikers and free card for public transportation are available to all employees
Variety of sport activities such as football and traditional Bulgarian dances
Last but not least – GfK Sofia office is located close to the city centre and easily accessible from any point by public transportation – 47A Tsarisgradsko Shose Blvd
All documents will be treated in the strictest confidentiality.
Only short-listed candidates will be invited for an interview.
We offer an exciting work environment that brings people together. We encourage an entrepreneurial and innovative spirit. We make use of the latest digital technologies. We are looking for self-starters, who accept challenges and create solutions.
Can there be a better place to take center stage in the digital revolution? We are excited to getting to know you!