For over 80 years, GfK has been a reliable and trusted insight partner for the world’s biggest companies and leading brands who make a difference in every consumer’s life - and we will continue to build on this. We connect data, science and innovative digital research solutions to provide answers for key business questions around consumers, markets, brands and media. With our headquarters in Germany and a presence in around 60 countries worldwide, you benefit from our global company with a diverse community of ~9,000 employees.
Harnessing the power of our workforce, the greatest asset we have is our people. As part of GfK, you can take your future into your own hands. We value talent, skills and responsibility and support your development within our international teams. We are proud of our heritage and our future: Currently we are in the latter stages of a transformational journey from a traditional market research company to a trusted provider of prescriptive data analytics powered by innovative technology. This is only possible with extraordinary people and this is why we are looking for YOU to help create our future. For our employees as well as for our clients we pursue one goal: Growth from Knowledge!
As IT Security Analyst within the Information Security team, your role will be to work with various engineering teams and business product owners to ensure secure code practises are being implemented throughout the software development lifecycle to protect the GfK’s 1,000+ public websites/services. The IT Security Analyst will be responsible for deployment & support of security solutions and provide guidance on security in web applications, APIs and public cloud technologies.
As an IT Security Analyst you will have the following key accountabilities:
Work with engineering squads (Developers, SREs & QAs) to ensure that products are secure on delivery.
Provide KPIs/metrics to ensure testing coverage and vulnerabilities are remediated within agreed SLAs.
Integrate security tools into the SDLC.
Build/maintain/support security tools.
Run static scans/perform code/third-party library reviews to identify security weaknesses.
Manually validate findings from security scans to eliminate false positives.
Perform manual security code reviews of engineering squads’ projects to minimize introduction of security weaknesses early in the SDLC.
Work in a fast-paced environment to identify and assist troubleshooting of vulnerabilities identified during application vulnerability scans.
Explain risk and criticality of identified vulnerabilities to business owners/technical teams and advise on remediation activities, including attending development/engineering stand-ups.
Work with business application owners/technical engineering teams on remediation plans and aid the teams on what to fix and how to fix it.
Perform threat modelling on web applications, public cloud environments and containers.
Support security incidents involving Cloud environments and web services.
Assist with management and tuning of the Web Application Firewall (WAF).
Assist maintaining a CMDB of web applications and performing risk assessments of the applications.
Contribute to the application security framework.
Part of the Security Community of Practice (CoP).
Conduct risk assessments of web applications.
Take ownership of additional duties as required.
Now that you know what IT Security Analyst does, what skills, qualifications and experience do you need?
Experience working in a software development capacity.
Experience working with developers, engineering teams in a dynamic environment to promote/implement security engineering practices throughout the organization.
Experience with service-oriented architecture and web services security.
Experience with the application of threat modeling or other risk identification techniques.
Minimum of 5 years’ experience of relevant IT experience, with at least 1 year devoted specifically to security engineering.
Educated in Cyber Security/Computer Studies/Engineering.
SANS training or GIAC/OSCP/OSWE/AWS/GCP security certification desirable.
Experience working in an Agile/Sprint based delivery environment (using Jira/Confluence or other bug tracking tools) would be an advantage in this role.
Proficiency in one or more programming framework, Java, ASP.Net, Node or PHP.
Proficiency in Bash, Python, Perl, PowerShell or other scripting languages.
Demonstrated development skills to facilitate code reviews or tool development.
Ability to work with APIs and plugins to integrate security tools into established CI/CD pipelines.
Experience integrating DAST, SAST, IAST & SCA tools into the SDLC.
Full understanding of web stack, web security and common vulnerabilities (e.g. SQLi, XSS, OWASP Top 10 & beyond.).
A good understanding of network and web related protocols, TCP, UDP, HTTP, WebSocket.
A good understanding of securing public cloud technologies (AWS & GCP).
Hands-on understanding of container & orchestration technologies including Docker and Kubernetes.
Understanding of network devices like firewalls, routers, etc. and platforms such as Windows, Unix, etc.
Ability to review and analyze vulnerability data to identify security risks to the organization's network, infrastructure, and application's and determine any reported vulnerabilities that are false positives.
Capability to prepare security vulnerability and risk reports for management.
Leadership and Teaming skills to coordinate remediation of vulnerabilities within established timeframes.
Ability to think like a hacker.
Be able to build good working relationships with both technical and business stakeholders, gaining their respect and trust based on your knowledge and professionalism.
Have the ability and desire to adapt and quickly learn new technologies.
Excellent communication skills and ability to work with global counterparts.
Ability to work in a fast-paced environment.
Promote secure coding patterns, leading by example to improve secure code quality of existing systems and practices for the better.
Good troubleshooting skills.
Forward looking approach to addressing existing & upcoming security challenges.
Join our team and benefit from the following advantages:
Exciting work environment that brings people together
Use of the latest digital technologies
Initial and ongoing trainings to support your development
Opportunities for personal and professional growth
Competitive remuneration and bonus scheme linked to individual performance and company results
3 additional non-working days annually
Discount program with external vendors
Eco friendly travelers are welcome to the office – parking places for bikers and free card for public transportation are available to all employees
Variety of sport activities such as football and traditional Bulgarian dances
Last but not least – GfK Sofia office is located close to the city centre and easily accessible from any point by public transportation – 47A Tsarisgradsko Shose Blvd
All documents will be treated in the strictest confidentiality.
Only short-listed candidates will be invited for an interview
We offer an exciting work environment that brings people together. We encourage an entrepreneurial and innovative spirit. We make use of the latest digital technologies. We are looking for self-starters, who accept challenges and create solutions.
Can there be a better place to take center stage in the digital revolution? We are excited to getting to know you!