Vulnerability Assessment Analyst (Secret)

Vulnerability Assessment Analyst

Location: Kraków

Contract Type: B2B

Salary: 160PLN/hour - 190 PLN/hour 

Work Model: Work from the Krakow office 3 times a month

Our Technology teams work closely with global businesses to design and build digital services that allow millions of customers worldwide to bank quickly, simply, and securely. We also manage IT infrastructure, data centers, and core banking systems that power one of the world’s leading international financial institutions.

Our multi-disciplinary Technology teams include DevSecOps engineers, IT architects, front and back-end developers, infrastructure specialists, cybersecurity experts, and delivery, project, and program managers.

Following extensive investment across our Technology and Digital domains, with plans for continued expansion throughout 2023 and beyond, we are currently seeking a Consultant Specialist to join our Cybersecurity team within Technology.

Brief Overview of the Business Areas

Global Cybersecurity enables businesses and functions to manage their information, technology, and cybersecurity risks by ensuring these are well-understood, with controls appropriately defined, assessed, and implemented. Cybersecurity delivers this through objective, independent, professional, and specialized subject matter expertise. The role is part of the 1LoD (First Line of Defense) within the risk management framework.

The Cybersecurity Assessment and Testing (CSAT) function, part of Global Cybersecurity, is responsible for Vulnerability Management, Secure Development (including DevSecOps), Threat and Controls Assessment (including threat modeling), and Third-Party Security Assessment. The function identifies, captures, assesses, tests/verifies, and remediates security defects, gaps, and vulnerabilities across the company's systems, on-premise, within the cloud, and those stemming from third-party engagements.

What You Will Be Doing

In this key role, you will provide ongoing assessment for newly identified vulnerabilities and respond to business queries regarding potential false positives, vulnerability findings, secret data types, and guidance on mitigation approaches. The primary goal is to ensure that all newly discovered vulnerabilities follow the correct risk assessment process, presenting a clear risk profile for senior stakeholders through automated reporting.

The role reports to the Head of Vulnerability Assessment.

Key responsibilities include:

• Managing the review of assigned JIRA tickets, identifying potential false positives, advising on remediation, and supporting imminent threat review sessions.
• Monitoring external threat feeds for newly reported risks.
• Documenting remediation patterns and false positive identifications within central tools and applying them across the identified threat landscape.

What You Will Bring to the Role

• Proficiency in vulnerability management technologies and applications (e.g., SAST/DAST tools like Checkmarx, Netsparker, Fortify, IBM AppScan, etc.).
• Strong knowledge of OWASP concepts, CVE, CWE, and cryptography.
• Experience in vulnerability assessments, scoring, and ratings.
• Hands-on experience with Dynamic Application Security Testing (DAST) and SAST.
• Solid understanding of Secrets Management and secret data types.
• Knowledge of programming languages like Python and Java.
• Awareness of common threats, attacks, security protocols, and standards.
• Strong analytical skills for timely risk assessments of vulnerabilities.
• Familiarity with GitHub, Stash, and data platforms.
• A proven track record of delivering high-quality results on time.
• At least 4+ years of experience in Application Security, with the ability to work in a hybrid model.

Key Responsibilities:

• Assess all newly discovered vulnerabilities to ensure the risk score accurately reflects the associated risk.
• Review various repositories to identify secret data types and sensitive information.
• Monitor external threat feeds to identify any newly reported external risks.
• Manage the review of assigned JIRA tickets, determine potential false positives or mitigation approaches, and provide expert guidance on remediation.
• Ensure all remediation patterns and false positive identifications, as well as temporary fix reviews, are clearly documented in central tools and applied across the identified threat landscape.
• Identify critical operational paths and ensure they are followed to optimize efficiency.
• Maintain clear accountability for key control and risk indicators related to Vulnerability Assessment and Response.
• Support imminent threat review sessions, and deputize for the chair when required.
• Engage with the Head of VM Ops, Reports, Vulnerability Capture, and relevant team members to review and gain approval for submissions, ensuring information requests align with the group's risk appetite.
• Perform ad hoc tasks as needed, including support for CSAT operational activities, handling escalations, and responding to requests from various teams.