Position Overview:
The Application Security Consultant assesses the security of applications and digital environments within government entities and provides recommendations to improve security posture and compliance.
The role includes application security assessments, architecture reviews, vulnerability analysis, and aligning systems with Saudi cybersecurity regulations. The consultant will also support SSDLC and DevSecOps practices, particularly in Azure environments.
Key Responsibilities:
- Security Assessment & Architecture
- Assess security of web, mobile, and enterprise applications.
- Identify vulnerabilities, misconfigurations, and architectural risks.
- Review application architecture, APIs, integrations, and data flows.
- Evaluate authentication, authorization, and data protection mechanisms.
- Security Testing & Risk Management
- Perform security testing (SAST, DAST, basic penetration testing).
- Conduct risk assessments and classify vulnerabilities based on severity, likelihood, and impact.
- Validate remediation and track closure of security findings.
- Compliance & Governance
- Evaluate compliance with:
- NCA Essential Cybersecurity Controls (ECC).
- SAMA Cybersecurity Framework (CSF) (if applicable).
- PDPL and NDMO requirements.
- Map findings to regulatory controls and support audit readiness.
- Contribute to governance, risk, and compliance (GRC) activities.
- SSDLC & DevSecOps
- Promote and assess Secure SDLC (SSDLC) practices.
- Support integration of security into CI/CD pipelines (DevSecOps).
- Review and recommend security configurations in Azure DevOps and cloud environments.
- Reporting & Advisory
- Prepare security assessment and risk reports.
- Provide remediation recommendations and improvement roadmaps.
- Present findings to technical teams and stakeholders.
- Support implementation of security controls.
Qualifications:
Education & Experience
· Bachelor’s degree in Cybersecurity, Computer Science, or related field.
· 8+ years of experience in application security or cybersecurity consulting.
Technical Knowledge
· Strong understanding of OWASP Top 10 and application security principles.
· Experience with SAST, DAST, and security tools (e.g., Burp Suite, Fortify, Snyk).
· Knowledge of Secure SDLC (SSDLC) and DevSecOps practices.
· Familiarity with Azure cloud and Azure DevOps pipelines.
· Understanding of Saudi cybersecurity regulations (NCA, SAMA, PDPL).
Skills
- Strong analytical and problem-solving abilities
- Ability to assess complex systems and architectures
- Strong reporting and documentation skills
- Ability to communicate effectively with technical and non-technical stakeholders
- Consulting and advisory mindset.
Preferred Certifications
- CISSP, CEH, OSCP, CSSLP
- ISO 27001 Lead Implementer / Auditor
