Master information

Task description and requirements

We have a current opportunity for a IT Security Analyst (m/w/d) on a contract basis.

Start: 15/07/2024
End: 31/12/2024
Location: remote
Volume: 20 hours per week

Description:
Most solutions are based on the MS Azure cloud and have been built up having functional requirements in mind. Whilst maturing their cloud utilization our client would like to identify strategic areas of where security could be improved in their IT landscape. This is starting with using the DevSecOps tool called Snyk as well identifying where our client is not using modern authentication scheme based on OAUTH2 and not regularly rotating secrets in applications. Our client has an Information Security Guideline and Policies that need to be followed. Due to the mostly de-central development teams this is quite tedious and needs a dedicated external resource to execute this.
Therefore, the external consultant has a unique position compared to the client's internal project staff and provides significantly different services than the internal staff. The services shall be provided within the framework of an agile development method.

Tasks:
The activities required in each case to implement the services commissioned shall be agreed iteratively between the parties within the framework of sprint meetings and implemented by the consultant within the respective sprints following the sprint meetings. Prior to each sprint meeting, the consultant shall independently check based on its professional expertise, which individual services are reasonable within the scope of the assignment in the respective sprint.

The sprints each have a duration of 2-3 weeks, so that the sprint meetings take place at the beginning and at the end of every sprint (every 2-3 weeks). Within the individual sprints, the contracting parties shall coordinate the respective technical requirements for the services to be provided in weekly meetings.

The technical requirements for the services to be provided are assessed by the consultant based on its own technical assessment. After completion of a Sprint, the Parties shall conduct a "Sprint Review'' in which the consultant reports on the findings and status of the services performed by it in the previous Sprint and makes a recommendation on how to proceed with regard to the services that proved to be unfeasible in the respective Sprint.

In that sense the consultant works like an Agile developer.
The objective is to deliver as many sprints as possible until the end of 2024.
As sprint may vary in complexity the exact number cannot be stated upfront.

- Analyze which applications & teams are using GIT repositories for storing their application code or deployment pipelines
- Analyze which applications & teams are using subversion to store their application code
- Identify which repositories are active and which are inactive and can be archived
- Analyze what build & release pipelines are being used inside the different pipelines and if the repositories would be compatible to be onboarded on Snyk
- Document dependencies in SVN build pipelines and propose new build toolset on GitHub, Azure DevOps
- Create a Plan for the migration of subversion repositories to GitHub, Azure DevOps
- Create a template for Sales & Trading GitHub organizations so that repositories and access to repositories is deployed via terraform with the GitHub provider
- Carry out migration activities after approval be the client project manager by actively setting up the code, repositories and moving the code as well as other components
- Onboard new GitHub organizations and Azure DevOps projects on Snyk
- Identify which application are currently using static secrets in their application code and not utilizing modern authentication scheme via OAUTH2, e.g. by using Azure Resource Graph explorer to find these resources
- Analyze where managed identities are not being used inside the Sales & Trading IT landscape and where Role Assignment are not being used to make use of Azure RBAC (e.g. Azure Storage Account Contributor vs. Contributor permissions)
- Analyze where Azure DevOps pipelines are using static secrets for authentication instead of workload identities
- Migrate static secrets to workload identities wherever possible after gaining approval from the client
- Analyze & Document which applications are using static secrets
- Analyze & Document which applications are having regular secret rotation practices in place
- Create a Proposal how dynamic secrets rotation can be implemented for certain clusters

Skills:
- English fluent
- Azure Cloud, Azure DevOps, GitHub, Azure Resource Graph query

Nice to have:
- German language skills
- Terraform IAC, Snyk und Subversion

If you are interested, please apply with your latest CV.

Category