I10 - Vulnerability Analyst (030)

Description

The Vulnerability Management Analyst is responsible for vulnerability scanning, validation of findings, remediation tracking, and oversight of external penetration testing vendors across applications, infrastructure, and technology platforms. This role will come under the IT Risk and Security department, reporting to the Senior Manager of Cyber Assurance.

Key Responsibilities

• Perform vulnerability scanning, discovery, remediation tracking, SLA monitoring, and verification of vulnerability fixes.
• Review and communicate vulnerability assessment findings to affected teams, and follow up on queries and remediation actions.
• Manage and coordinate external vendors performing vulnerability assessments and penetration tests, including support for tooling, product issues, and related queries from internal teams.
• Maintain and amend the VA scan scripts when necessary to reduce the false positives.
• Generate Dashboard and share the VA scan results with Department HOD and team manager on issues and concerns in the weekly team meeting.
• On monthly basis, perform reconciliation on any agents that are not reporting and any new servers.
• Compliance and hardening checks on organisation assets, including cloud to ensuring alignment with CIS or other applicable standards.
• Prepare VA statistics and reports in the quarterly management meetings.
• Support the compliant standards and SOP to conduct VA scan to cover MS Azure Cloud and Google cloud tenant
• Perform risk assessment on vulnerability and penetration test findings, and recommend remediation or compensating controls where direct remediation is not feasible.
• Review vendor penetration testing scope, methodology, and findings to assess technical accuracy, exploitability, business impact, and remediation priority.
• Experienced in Bug Bounty Program, validating severity and business impact, tracking remediation closure, managing researcher communications and support maintenance of scope, outcomes reporting
• Undertake other projects and tasks that may be assigned by management.

Qualifications / Requirements

• Bachelor's Degree with more than 3 years of experience in Cyber Security or information security. Experienced in vulnerability management, vulnerability assessment, infrastructure security, or
• similar information security roles. Open to consider candidates with at least 2 years of relevant experience
• Relevant industry certifications such as CISSP, OSCP, CREST CPSA CRT, SANS certifications preferred.

Competencies

• Hands-on experience on vulnerability assessment tools with Tenable Vulnerability Management / Tenable One / Nessus is a must.
• Good understanding of vulnerability management standards, remediation SLAs, and the ability to follow up with stakeholders to drive timely closure of findings.
• Working knowledge of vulnerability scoring and prioritisation models such as CVSS, Tenable VPR, and EPSS.
• Experienced in conducting technical risk assessments, including assessment of preventive and detective controls.
• Working knowledge of vulnerability management procedures, remediation tracking, and service level agreement monitoring.
• Strong understanding of penetration testing methodologies and Web/API application security, Mobile and AI/LLM. OWASP top 10
• Understanding of CIS security hardening standards and baseline controls for servers, operating systems, databases, and for cloud environments such as AWS, Azure.
• Able to engage stakeholders effectively, follow up on remediation actions, and drive closure of vulnerabilities within required timelines.