Key skills
Information SecurityApplication SecurityVulnerability ManagementOWASP Top 10Vulnerability TriageVulnerability ValidationVulnerability PrioritizationSASTSCADASTSource Code ReviewVulnerability Tracking PlatformsCommunicationOWASP
About this role
CBTS is seeking an Information Security Engineer (Level IV) to support the operational processes of their Enterprise Vulnerability Management Application Security program. The role includes reviewing and triaging vulnerability submissions, assessing exploitability and business impact, and ensuring effective communication with application and engineering teams.
Responsibilities:
- Review and triage vulnerability submissions from external researchers
- Validate technical accuracy, exploitability, and business impact
- Assess severity and impact in alignment with established scoring models and program standards
- De-duplicate and disposition invalid or non-actionable submissions
- Classify vulnerabilities using established taxonomy
- Identify and assign remediation owners using established processes
- Support vulnerability tracking within centralized tools
- Evaluate false positive requests from application teams
- Analyze scanner findings (SAST/SCA) and perform source code review as needed to validate findings
- Determine validity and provide evidence-based disposition with rationale
- Contribute to continuous improvement of triage standards, playbooks, and procedures
- Maintain awareness of common application security vulnerabilities and emerging threats
- Ensure vulnerability handling aligns with internal policies, standards, and regulatory expectations
- Maintain defensible documentation and provide supporting evidence for audit, regulatory, and internal review requirements
- Escalate high-risk or time-sensitive vulnerabilities as appropriate
- Communicate findings, impact, and remediation guidance clearly
- Partner with application and engineering teams to enable timely remediation
Requirements:
- Bachelor's degree in Computer Science, Information Security, or related field, or equivalent practical experience
- 3–5 years of related experience in information security, application security, or vulnerability management
- Strong understanding of application security principles, secure development practices, and common vulnerabilities (e.g., OWASP Top 10)
- Experience with vulnerability triage, validation, and prioritization
- Familiarity with vulnerability scanning tools and outputs (e.g., SAST, SCA, DAST)
- Ability to review and understand source code to validate vulnerabilities
- Strong analytical skills to assess exploitability and business risk
- Experience with vulnerability management or tracking platforms (e.g., ticketing systems, dashboards)
- Strong attention to detail and ability to make defensible decisions
- Must be able to communicate ideas both verbally and in writing to management, business and IT sponsors, and technical resources in language that is appropriate for each group
- Previous experience working with distributed or offshore teams desired
- Financial industry experience is a plus