• Competitive
  • Singapore
  • Permanent, Full time
  • Citibank NA
  • 2018-12-11

Vulnerability Assessment Analyst (Deep-Dive Application VA)

Vulnerability Assessment Analyst (Deep-Dive Application VA)

  • Primary Location: Singapore,Singapore,Singapore
  • Education: Bachelor's Degree
  • Job Function: Technology
  • Schedule: Full-time
  • Shift: Day Job
  • Employee Status: Regular
  • Travel Time: No
  • Job ID: 18068134


Duties include providing deep-dive application vulnerability assessment services to Citi businesses globally through a comprehensive testing process, as well as identifying weaknesses and vulnerabilities within the system and proposing/implementing countermeasures. Typical assignments will involve in-depth testing of the security of critical applications and discover possible gaps through use threat model, source code review, application behavior analysis, and other security framework or best practices, e.g. OWASP, OSSTMM, NIST publications, SANS/CWE. The candidate will be expected to act as a subject matter expert in offensive information security specialized in web programming and applications technology.


  • Pre-requisites for this position are at least a Bachelor's Degree with 5 - 10 years of experience on most of the following. Software developer with understanding of security knowledge is encouraged to apply.
  • Strong knowledge of application development and programming languages e.g. Java, .NET, Python,  etc.
  • Strong knowledge of web application technology, e.g. Application Servers, Web Servers, Databases
  • Conducting vulnerability assessments and penetration testing (application and/or infrastructure) and articulating security issues to technical and non-technical audience
  • Identifying, researching, validating, and exploiting various different known and unknown security vulnerabilities on server and client side
  • Experience conducting one or more of the following functions::
    • Application vulnerability assessments
    • Source code review
    • Application architecture reviews or threat modeling
Industry-accredited security certifications will be required (the candidate must have or be willing to obtain the following certifications - GIAC GWAPT, GPEN, GXPN, OSCP, and CISSP). Articulating security issues to technical and non-technical audience is a plus. In addition, knowledge of tools and processes used to expose common vulnerabilities and implement countermeasures is expected. Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.