Application Security Analyst - Cyber Security

Costco IT is responsible for the technical future of Costco Wholesale, the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed. As proof, Costco ranks seventh in Forbes “World’s Best Employers”.

This is an environment unlike anything in the high-tech world and the secret of Costco’s success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.

Come join the Costco Wholesale IT family. Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees.

The role of each Information Security team member is to support the overarching values and business goals of Costco, including meeting legal, ethical, and regulatory obligations; protecting member privacy; and maintaining a secure technology environment for our operations.

Security Analysts support the values and business goals as they relate to legal, ethical, and regulatory obligations; protect privacy; and maintain a secure technology environment. Security Analysts develop and execute security controls, defenses, and countermeasures to intercept and prevent internal/external attacks, infiltration of company data, and compromising of systems and accounts. Security Analysts research attempted/successful efforts to compromise systems security; design countermeasures; implement and maintain physical, technical, and administrative security controls; and provide information to management regarding the negative impact to the business.

This Application Security Analyst position performs configuration, troubleshooting, monitoring, and auditing of information system activities utilizing multiple application security testing tools to ensure security best practices are enforced; creates and maintains documentation related to policies, standards, and procedures; mentors team members; and provides consultative services to teams and stakeholders to improve application security within their environments. In addition, the Security Analyst position is expected to work with suppliers for product consideration and recommendation.

Primarily, this Security Analyst should have in-depth working experience and knowledge of application specific testing methodologies and vulnerabilities. A successful candidate should also have solid skills in Windows, cloud, and have in-depth knowledge and work experience with industry recognized security best practices.

If you want to be a part of one of the worldwide BEST companies “to work for”, simply apply and let your career be reimagined.

ROLE

Works analytically to solve both tactical and strategic problems within the Application Security program.

Collects and aggregates information from a wide variety of sources and formats for relevance to our environment; monitors and provides metrics on threat level of vulnerabilities.

Supports the implementation, configuration, and management of application security tools.

Provides recommendations on remediation processes and guidance on how to fix application specific vulnerabilities.

Onboards new and existing applications and sites in application security tooling platforms; and facilitates static and dynamic testing through either automated or manual testing processes throughout the SDLC.

Establishes rapport and partners with other IS teams to mature the Application Security program.

Contributes and participates in team activities and planning in regards to improving team skills, awareness, communication, reputation, and quality of work.

Works with development teams to integrate application security practices into CI/CD pipelines.

Collaborates and communicates effectively with Compliance, Internal Audit, Business teams, and others to identify, analyze, and communicate risk regarding application security to support business requirements.

Responds to tickets, support requests, and incidents in a proactive manner.

Coordinates with the Incident Response team to remediate security incidents as needed.

Understands regulatory and compliance requirements that may impact security and effectively collaborates with business areas and project teams to develop security solutions.

Understands security problems as a balance of both security and business needs.

Advocates internally and externally for compliance and security measures to protect enterprise applications and environments.

Works with information systems owners and administrators to understand their security needs and assists with implementing practices and procedures consistent with Costco’s security policies.

Builds and maintains supplier partnerships to further Costco’s mission and goals.

Maintains current knowledge of industry trends and standards.

Creates and maintains updated environmental documentation (including processes and procedures), tasks, change records, etc.

Continues professional growth in the areas of technology, business knowledge, and Costco policies and platforms.

REQUIRED

Minimum of 1+ years’ experience (2+ preferable) working in a cybersecurity position in an enterprise environment.

Working knowledge of application security testing methodologies, such as SAST, DAST, MAST, and SCA.

Hands-on experience with static and/or dynamic code scanning and subsequent remediations.

Working knowledge of vulnerability management processes.

Familiarity with OWASP Top 10 and CIS 18.

Familiarity with industry recognized Risk Rating Methodologies.

Familiarity with Agile development concepts and methods, such as Scrum or Kanban.

Excellent understanding of SDLC and DevOps concepts, such as CI/CD pipelines.

Knowledge of Azure cloud computing and cloud services.

Knowledge of complex application platforms, such as the Java EE and .NET platform.

Familiarity with programming languages and Web Service technologies (ex. SOAP, REST, GraphQL, etc.).

Strong understanding of security frameworks, such as PCI, HIPAA, GDPR, etc.

Experience with Windows, Linux, and networking environments.

Working knowledge of information systems’ security standards/practices (e.g., access control and system hardening, system audit and log file monitoring, security policies, and incident handling).

Ability to clearly communicate Information Security matters to executives, auditors, end users, and engineers, using appropriate language, examples, and tone.

Abilities to interpret and present vulnerability finding descriptions and solutions to technical and non-technical users.

Ability to quickly understand systems in order to identify and validate security requirements.

Demonstrated logical and structured approach to time management and task prioritization in supporting team goals.

Demonstrated high level of communication skills, both verbal and written.

Strong analytical skills, documentation skills, and awareness of change management.

Ability to embrace and support team collaboration and communication; strong collaborative mindset, able to function as a contributing member of the team.

Ability to adapt to changing priorities.

Experience handling highly confidential and sensitive information in a strictly professional manner.

Scheduling flexibility to meet the needs of the business, including outside of regular business hours; possibly 24/7 to accommodate all Costco locations.

Recommended

One or more professional audit or security certifications, such as Security+, CISA, GSEC or CISSP (or equivalent experience).

Experience with one or more scripting/programming languages.

Experience with patch and vulnerability management.

Understanding of information security frameworks and how they enhance security and support compliance, such as NIST.

Programming experience including manual code reviews.

Familiarity with application development platforms, including Azure DevOps, GitHub, Jenkins, and SonarQube.

Experience in endpoint protection tools is helpful.

Knowledgeable with multi factor authentication and authentication processes and protocols. Authentication services, as well as PKI and token/certificate based authentication, DNS, and AD structure.

Required Documents

• Cover Letter

• Resume

California applicants, please click here to review the Costco Applicant Privacy Notice.

Pay Ranges:

Level 2 - $95,000 - $130,000

Level 3 - $125,000 - $165,000

Level 4 - $150,000 - $195,000

We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.

Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to [email protected]

If hired, you will be required to provide proof of authorization to work in the United States.