The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA's ICT infrastructure comprises hardware and software platforms, and cloud and externally-hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.The Infrastructure Services Section (ISS) is responsible for implementing, maintaining, and administering the ICT systems and services for high availability; designing, implementing, and operating IT security services; and managing the data centre. The platforms include Microsoft Windows servers, Linux servers, Oracle EBS infrastructure, data storage, and transmission networks, serving more than 2500 staff, as well as over 10000 external users around the world. The Section includes three Units: Network and Telecommunications, Enterprise Systems, and Security Systems.
The Application Security Engineer leads application security and security threat research activities to strengthen IAEA information security and DevOps practices. He/she participates in development, delivery, and administration the comprehensive application security program for the IAEA. A successful candidate will be working with software development and security peers supporting day-to-day security DevOPS activities including but not limited to, Static Application Security testing (SAST) Dynamic Application Security Testing, (DAST), Web Application Firewall (WAF), API security, security threat research as well as investigations of possible application security incidents.
The Application Security Engineer is (a) a technical specialist contributing to the design and formulation of security measures, procedures and standards on all aspects of application security; (b) a solution provider, coordinating applications security service delivery; (c) a team member actively involved in planning, implementing, testing and deployment of application security controls; and (d) a security threat researcher and incidents handler.
Functions / Key Results Expected
Perform application security analysis, including code and architecture review, analysis of data flows and penetration testing and make recommendations for corrective actions. Actively contribute to top-notch R&D initiatives related to data analysis, investigations, custom applications development, as well as intelligence collection & analysis. Participate in threat research, vulnerability discovery and investigations. Implement and administer preventative and monitoring security controls for the applications environment. Identify application security issues and risks, and work with development team to define mitigation plans. Researching and evaluating new and emerging security technologies, features, and products. Provide substantive inputs and suggestions on all aspects related to the applications design, vulnerabilities testing, security infrastructure, security plans and services. Coordinate application security services, installation, maintenance based on from external vendors and other UN agencies services. Prepare written reports using data and statistics to contribute towards efficient, effective and secure software deployment. Provide technical inputs and guidance on deficiency and effectiveness of application security control deployment and usage. Create and deliver applications security training to peers and junior staff.
Competencies and Expertise
Core CompetenciesPlanning and Organizing Plans and organizes his/her own work in support of achieving the team or Section’s priorities. Takes into account potential changes and proposes contingency plans. Communication Communicates orally and in writing in a clear, concise and impartial manner. Takes time to listen to and understand the perspectives of others and proposes solutions. Achieving Results Takes initiative in defining realistic outputs and clarifying roles, responsibilities and expected results in the context of the Department/Division’s programme. Evaluates his/her results realistically, drawing conclusions from lessons learned. Teamwork Actively contributes to achieving team results. Supports team decisions.
Functional CompetenciesClient orientation Helps clients to analyse their needs. Seeks to understand service needs from the client’s perspective and ensure that the client’s standards are met. Commitment to continuous process improvement Plans and executes activities in the context of quality and risk management and identifies opportunities for process, system and structural improvement, as well as improving current practices. Analyses processes and procedures, and proposes improvements. Technical/scientific credibility Ensures that work is in compliance with internationally accepted professional standards and scientific methods. Provides scientifically/technically accepted information that is credible and reliable.
Required ExpertiseIT Security Expertise in threat research as well as implementation and maintenance of technical application security controls. Information Technology Information Security and Risk Management Practical expertise in managing security vulnerabilities, threats, and risks according to the beet practices. Information Technology Software Engineering Proven ability to use one or more of the programming languages: (Java/Ruby/Python/Perl) and deep understanding of Security Software Development Life Cycle and DevOps principles. Information Technology Technical Writing Expertise in creating technical documentation. Information Technology Web Development Understanding of Web API development, and security threats, and remediation best practices.
Qualifications, Experience and Language skills
- University degree in Computer Science, IT Security, Information Security or a closely related field.
- Internationally recognised security certification, such as EC-Council |CASEEC-Council E|CIH, Offensive Security OSCP, CSSLP would be an advantage.
- Minimum 5 years of relevant technical experience of which at least 2 years of experience in one or more of the following domains: application and software security, technical threat research, penetration testing, secure software development.
- Foundation in, and in-depth technical knowledge of, security engineering, computer and network security, authentication, security protocols and applied cryptography.
- Demonstrated experience with tools and techniques used for software security analysis, including penetration testing, static and dynamic analysis. Experience with public cloud environments and technologies, including Amazon Web Services, MS Azure, MS DevOps.
- Experience with Python, Perl, or other scripting languages.
- Excellent oral and written command of English. Knowledge of other official IAEA languages (Arabic, Chinese, French, Russian and Spanish) is an asset.