This role will directly support the newly formed Application Security and Risk Team within WTW.
You will use your skills and experience to:
· Deputise on behalf of the Application Penetration Testing Manager during their absence.
· Maintain a register of applications requiring annual penetration tests.
· Work with 3rd party providers to scope and schedule penetration tests for applications as part of the software development lifecycle and BAU applications requiring regularly scheduled testing.
· Co-ordinate penetration tests via a 3rd party penetration testing provider.
· Provide assistance ensuring penetration testing pre-requisites are in place (e.g. the creation of application accounts and whitelisting of IP addresses).
· Assess penetration test findings and liaise with development teams to remediate identified vulnerabilities.
· On a sampling basis, validate and assure the consistency of penetration test findings.
· Escalate quality assurance issues to 3rd party penetration testing providers completing tests on WTW’ behalf.
· Produce penetration testing report findings for business stakeholders.
· Articulate penetration test findings in both technical and non-technical language dependent on the audience (both technical and business stakeholders) allowing them to make informed risk based decisions on how vulnerabilities should be addressed.
· Track identified vulnerabilities through to remediation, mitigation or risk acceptance.
· Provide 1st line support to development teams on the methods available to address vulnerabilities.
· Experience working in software development and penetration testing experience in web and mobile application security
· Experience with web application vulnerability scanning tools (e.g., Burp Suite Pro)
· Practical knowledge of application security standards and compliance (e.g., OWASP, Sarbanes-Oxley act, HIPAA)
· Solid knowledge of information security principles, web applications and a level of familiarity with malicious code and common techniques used by hackers.
· Knowledge of cloud-based infrastructures and how they affect security needs.
· Ability to read and understand system data including security event logs , system and application logs
· Solid understanding of enterprise wide technologies, including databases, operating systems, web applications, etc.
· Ability to communicate technical concepts to nontechnical disciplines
· Proficiency with threat-modelling
· Knowledge of current application security and architectural trends
• Experience in engaging business functions (rather than purely IT)
• Ability to work with multidisciplinary and cross-functional teams
• Ability to negotiate towards a balanced, acceptable risk solution
• Team player with good interpersonal and influencing skills.
• Able to manage own workload.
• Ability to work under pressure to tight timelines and without direct supervision.
• Excellent analytical problem solving skills.
• Information security qualifications (e.g. CISSP, CISM, CISA) preferable
Willis Towers Watson is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 40,000 employees serving more than 140 countries. We design and deliver solutions that manage risk, optimize benefits, cultivate talent, and expand the power of capital to protect and strengthen institutions and individuals. Our unique perspective allows us to see the critical intersections between talent, assets and ideas – the dynamic formula that drives business performance. Together, we unlock potential. Learn more atwillistowerswatson.com .
Willis Towers Watson is an equal opportunity employer
Willis Towers Watson believes that effectively managing a diverse workforce is vital to our business strategy. We have an obligation to our organization, ourselves and our clients to hire and develop the best people we can find. We will continually review our policies and practices to ensure that all areas of the employment process (including recruiting, hiring, work assignments, compensation, benefits, promotions, transfers, company-sponsored development programs and overall workplace experience) are free from discriminatory practices. We are committed to equal employment opportunities at Willis Towers Watson.
Unsolicited Contact: Any unsolicited resumes/candidate profiles submitted through our web site or to personal e-mail accounts of employees of Willis Towers Watson are considered property of Willis Towers Watson and are not subject to payment of agency fees. In order to be an authorized Recruitment Agency/Search Firm for Willis Towers Watson, any such agency must have an existing formal written agreement signed by an authorized Willis Towers Watson recruiter and an active working relationship with the organization. Resumes must be submitted according to our candidate submission process, which includes being actively engaged on the particular search. Likewise, for our authorized Recruitment Agencies/Search Firms, if the candidate submission process is not followed, no agency fees will be paid by Willis Towers Watson. Willis Towers Watson is an equal opportunity employer.