Application Security Analyst

• Relocation Assistance Available**
• Required three (3) days in the Orlando Headquarters Office and remote two (2) days.***

Position Summary
As a member of the professional staff, contributes general knowledge and skill in a discipline area.

(e.g., Accounting, Finance, Human Resources, Information Resources, Operations Planning & Support, Sales

& Marketing) to support team and/or department objectives.

Generally, works under limited supervision, but within established guidelines, producing and analyzing more.

complex business information to assist in the decision-making process.

Specific Job Summary
The Application Security Analyst role is responsible for incorporating security measures into the complete DevOps lifecycle and ensuring that security is an integral aspect of all software development and deployment processes. This position focuses on conducting comprehensive security assessments like static and dynamic analyses, code reviews, and automated vulnerability scans across various applications and environments. It also involves enforcing secure coding standards by collaborating with development, operations, and security teams to integrate vulnerability remediation within CI/CD pipelines.
In addition to conducting hands-on offensive security testing, this role requires expertise in mapping attack scenarios to frameworks such as the MITRE ATT&CK framework to assess the organization's defense mechanisms. The individual will be responsible for identifying weaknesses in both existing and new systems and providing detailed recommendations for improving security measures across various technology environments. The ideal candidate is a highly skilled and collaborative security professional with a deep understanding of offensive security techniques and a passion for improving security processes through continuous testing and learning.

Expected Contributions

• Contributes to team, department, and/or business results by performing complex quantitative and qualitative analysis for business processes and/or projects. Often manages small projects, business processes or parts of larger ones.
• Responds to, solves, and makes decisions on more complex/non-routine business requests with limited to moderate risk.
• Performs more complex quantitative and qualitative analysis for business processes and/or projects. Often manages small projects, business processes or parts of larger ones.
• Responds to, solves, and makes decisions on more complex/non-routine business requests with limited to moderate risk.
• Assists more senior associates in achieving business results by:
• identifying opportunities to enhance the effectiveness of business processes.
• participating in setting department operating plans.
• achieving results against budget within scope of responsibility.
• Demonstrates an awareness of personal strengths and areas for improvement and acts independently to improve and increase skills and knowledge.

Specific Expected Contributions

• Conducts thorough penetration testing of infrastructure, web applications, APIs, and cloud environments to identify vulnerabilities and potential attack vectors.
• Collaborates with application development teams to implement security testing practices early in the software development lifecycle (SDLC), ensuring secure code and configurations.
• Reviews application development processes to ensure secure coding practices are followed, identifying vulnerabilities in the development, staging, and production environments.
• Leads red team exercises simulating advanced persistent threats (APTs) to assess the organization's security resilience in real-world attack scenarios.
• Collaborates closely with blue team members to provide feedback on detection and response efforts and support the development of effective defenses.
• Maps offensive security test results to the MITRE ATT&CK framework to ensure comprehensive understanding of adversary tactics, techniques, and procedures (TTPs).
• Executes vulnerability assessments and perform threat simulations to evaluate the effectiveness of security controls in place.
• Conducts vulnerability validation, including verifying the exploitability of identified vulnerabilities and conducting follow-up testing to confirm remediation.
• Leads and mentor junior security analysts, providing guidance on offensive security techniques and tools.
• Develops and refines testing methodologies, including custom attack scenarios to improve the organization's testing capabilities.
• Collaborates with IT, security engineering, and development teams to ensure vulnerabilities are prioritized and remediated effectively.
• Documents and communicates findings, providing clear, actionable recommendations to improve security across technology platforms.
• Stays up to date with emerging threats and vulnerability trends, continuously improving security testing practices and capabilities.

Candidate Profile
Successful candidates should possess knowledge, experience, and demonstrate leadership skills as follows:

Generally, a professional position with specific knowledge in a discipline (e.g., Accounting, Human Resources, Information Resources). College degree and/or relevant experience typically required.

Specific Candidate Profile
Education

• Bachelor's degree in computer science, Information Security, or a related field. Equivalent work experience may be considered in lieu of a degree.

Certifications Preferred

• Offensive Security Certified Professional (OSCP)
• Certified Ethical Hacker (CEH)
• GIAC Penetration Tester (GPEN)
• Offensive Security Web Expert (OSWE)
• Certified Secure Software Lifecycle Professional (CSSLP)
• GIAC Web Application Penetration Tester (GWAPT)

Experience

• At least 4 years of experience in offensive security roles, including penetration testing, red teaming, and application security testing.
• Hands-on experience with penetration testing tools (e.g., Burp Suite, Metasploit, Kali Linux, Cobalt Strike) and custom scripting for security testing.
• Proven expertise in identifying and exploiting vulnerabilities in applications, including web applications, mobile apps, APIs, and cloud platforms.
• Experience working with modern development practices, including DevSecOps, CI/CD pipelines, and integrating security testing into the software development lifecycle (SDLC).
• Deep knowledge of application security testing methods, including static analysis, dynamic analysis, and fuzzing.
• Familiarity with security practices such as Secure Development Lifecycle (SDL), Secure Code Reviews, and application security code scanning.
• Experience with cloud platforms (AWS, Azure, GCP) and container security (e.g., Docker, Kubernetes).
• Ability to map attack scenarios to the MITRE ATT&CK framework and provide insights for improving security defenses.

Skills/Attributes

• Advanced Penetration Testing Skills: Deep knowledge of testing web and mobile applications, APIs, and cloud services for vulnerabilities, with strong experience exploiting weaknesses to simulate real-world attacks.
• Application Security Expertise: Extensive experience with application security practices, secure code reviews, and vulnerability scanning tools.
• Secure Development Knowledge: Strong understanding of application development methodologies (e.g., Agile, DevOps) and experience incorporating security into development processes and pipelines.
• Red Team Expertise: Ability to simulate sophisticated attack techniques and scenarios, providing insight into potential attack paths and evaluating the organization's defenses.
• Cloud Security Knowledge: Solid understanding of cloud security best practices, including securing cloud environments (AWS, Azure) and containerized applications (Docker, Kubernetes).
• Vulnerability Management & Exploitability: Expertise in validating vulnerabilities, assessing their risk, and verifying exploitability across a wide range of systems.
• Incident Response Collaboration: Ability to work with incident response teams to translate offensive testing results into actionable intelligence for defensive improvements.
• Strong Documentation and Reporting Skills: Ability to document testing methodologies, findings, and recommendations clearly and concisely, and communicate technical issues to both technical and non-technical stakeholders.
• Mentorship & Leadership: Ability to lead and mentor junior security team members, promoting a culture of continuous improvement in offensive security practices.
• Problem-Solving & Analytical Thinking: Strong problem-solving skills, with the ability to think like an attacker to uncover vulnerabilities and develop strategies for exploitation and risk mitigation.

Marriott Vacations Worldwide is an equal opportunity employer committed to hiring a diverse workforce and sustaining an inclusive culture.