K
Security Consultant - July 2024
Kommlink Remote , Remote
Posted 1 week ago
For one of our clients in the energy industry we’re looking for a freelance Security Consultant:
Project description:
The LoB Sales & Trading IT Architects team (F_OI5-A) provides IT solution architecture and optimization services to projects and teams in the client’s CCO area.
Most solutions are based on the MS Azure cloud and have been built up having functional requirements in mind. Whilst maturing our cloud utilization we would like to identify strategic areas of where security could be improved in our IT landscape. This is starting with using the DevSecOps tool for the client called Snyk as well identifying where are not using modern authentication scheme based on OAUTH2 and not regularly rotating secrets in applications.Detailed description of the agile method/services:
The services shall be provided within the framework of an agile development method. The concrete activities required in each case to implement the services commissioned shall be agreed iteratively between the parties within the framework of sprint meetings and implemented by the consultant within the respective sprints following the sprint meetings. Prior to each sprint meeting, the consultant shall independently check, on the basis of its professional expertise, which individual services are reasonable and feasible within the scope of the assignment in the respective sprint.The sprints each have a duration of 2-3 weeks, so that the sprint meetings take place at the beginning and at the end of every sprint (every 2-3 weeks). Within the individual sprints, the contracting parties shall coordinate the respective technical requirements for the services to be provided in weekly meetings.The technical requirements for the services to be provided are assessed by the consultant on the basis of its own technical assessment. After completion of a Sprint, the Parties shall conduct a “Sprint Review'' in which the consultant reports on the findings and status of the services performed by it in the previous Sprint and makes a recommendation on how to proceed with regard to the services that proved to be unfeasible in the respective Sprint.In that sense the consultant works like an Agile developer.The objective is to deliver as many sprints as possible until the end of 2024.As sprint may vary in complexity the exact number cannot be stated upfront.Task description:
Skills:
Project duration: 6+ months
Project location: Remote
Project capacity: 20 hrs./week
Project description:
The LoB Sales & Trading IT Architects team (F_OI5-A) provides IT solution architecture and optimization services to projects and teams in the client’s CCO area.
Most solutions are based on the MS Azure cloud and have been built up having functional requirements in mind. Whilst maturing our cloud utilization we would like to identify strategic areas of where security could be improved in our IT landscape. This is starting with using the DevSecOps tool for the client called Snyk as well identifying where are not using modern authentication scheme based on OAUTH2 and not regularly rotating secrets in applications.Detailed description of the agile method/services:
The services shall be provided within the framework of an agile development method. The concrete activities required in each case to implement the services commissioned shall be agreed iteratively between the parties within the framework of sprint meetings and implemented by the consultant within the respective sprints following the sprint meetings. Prior to each sprint meeting, the consultant shall independently check, on the basis of its professional expertise, which individual services are reasonable and feasible within the scope of the assignment in the respective sprint.The sprints each have a duration of 2-3 weeks, so that the sprint meetings take place at the beginning and at the end of every sprint (every 2-3 weeks). Within the individual sprints, the contracting parties shall coordinate the respective technical requirements for the services to be provided in weekly meetings.The technical requirements for the services to be provided are assessed by the consultant on the basis of its own technical assessment. After completion of a Sprint, the Parties shall conduct a “Sprint Review'' in which the consultant reports on the findings and status of the services performed by it in the previous Sprint and makes a recommendation on how to proceed with regard to the services that proved to be unfeasible in the respective Sprint.In that sense the consultant works like an Agile developer.The objective is to deliver as many sprints as possible until the end of 2024.As sprint may vary in complexity the exact number cannot be stated upfront.Task description:
- Analyze which applications & teams are using GIT repositories for storing their application code or deployment pipelines
- Analyze which applications & teams are using subversion to store their application code
- Identify which repositories are active and which are inactive and can be archived-
- Analyze what build & release pipelines are being used inside the different pipelines and if the repositories would be compatible to be onboarded on Snyk
- Document dependencies in SVN build pipelines and propose new build toolset on GitHub, Azure DevOps
- Create a Plan for the migration of subversion repositories to GitHub, Azure DevOps
- Create a template for Sales & Trading GitHub organizations so that repositories and access to repositories is deployed via terraform with the GitHub provider
- Carry out migration activities after approval be the client project manager by actively setting up the code, repositories and moving the code as well as other components
- Onboard new GitHub organizations and Azure DevOps projects on Snyk
- Identify which application are currently using static secrets in their application code and not utilizing modern authentication scheme via OAUTH2, e.g. by using Azure Resource Graph explorer to find these resources
- Analyze where managed identities are not being used inside the Sales & Trading IT landscape and where Role Assignment are not being used to make use of Azure RBAC (e.g. Azure Storage Account Contributor vs. Contributor permissions)
- Analyze where Azure DevOps pipelines are using static secrets for authentication instead of workload identities
- Migrate static secrets to workload identities wherever possible after gaining approval from the client
- Analyze & Document which applications are using static secrets
- Analyze & Document which applications are having regular secret rotation practices in place
- Create a Proposal how dynamic secrets rotation can be implemented for certain clusters
Skills:
- English
- Azure Cloud
- Azure DevOps
- GitHub
- Azure Resource Graph query
- German – nice to have
- Terraform IAC – nice to have
- Snyk – nice to have
- Subversion – nice to have
Project duration: 6+ months
Project location: Remote
Project capacity: 20 hrs./week
See how you match
to the job
Download the
LiveCareer app and find
your dream job anywhere
Security Consultant - July 2024
Kommlink
Complete any job application
with a few clicks using our
free Chrome extension!
Try It Now - It's Free
No Thanks , Maybe later
Complete any job application
with a few clicks using our
free Chrome extension!
Add To Chrome - It's Free
Tired of filling out the same fields every time on your job applications?Let our free Chrome extension
take care of it.
Add To Chrome - It's Free