Secure Source Code Reviewer

Position: Secure Source Code Reviewer (SAST Specialist)

Domain: Application Security – Manual & Tool-Assisted Code Review

1. Role Summary:

Performs manual and tool-assisted secure code reviews across languages in use (Java, Python, Go, TypeScript, C#, etc.). Validates SAST findings, eliminates false positives, and identifies vulnerabilities that static analysis cannot detect — such as complex business-logic flaws, cryptographic misuse, and insecure design.

2. In-Scope Platforms / Tooling:

• Fortify SCA, Semgrep, CodeQL, GitLab SAST (as supporting tooling)

3. Job Description – Key Responsibilities:

• Conduct in-depth code reviews on high-risk modules (auth, crypto, data handling).
• Triage Fortify/SAST backlog: validate findings, classify true/false positives, and advise developers on fix patterns.
• Author and maintain secure-coding guidelines and language-specific hardening checklists.
• Provide secure-coding training and 'office hours' for development teams.
• Partner with the DevSecOps Pipeline Engineer to refine SAST rule sets and reduce noise.
• Contribute to threat modelling and architecture reviews.

4. Goals:

1. Raise the signal-to-noise ratio of SAST findings so developers act on them.
2. Catch design- and logic-level vulnerabilities that static tools miss.
3. Continuously raise the secure-coding baseline across engineering teams.

5. Specific Objectives (SMART):

1. Review 100% of critical-path modules on a defined rotation (at least quarterly)
2. Review every SAST finding on the critical path prior to release sign-off.
3. Publish quarterly secure-coding guidance updates based on observed anti-patterns.
4. Measurably reduce false-positive rate of SAST pipeline quarter-over-quarter.

6. Timeline & Engagement Model:

12-month contract. Steady-state workload from week 1, aligned to sprint and release cadence.

7. Rationale & Framework Alignment:

Manual secure code review is an explicit requirement in NIST SSDF (PW.7), ISO 27001 A.8.28 (secure coding), OWASP SAMM Implementation, and is recognized by OWASP as catching 10–15% more serious vulnerabilities than SAST alone. SAST tools like Fortify produce large backlogs that developers ignore without expert triage; a dedicated reviewer converts noise into actionable, prioritized guidance and prevents the SAST investment from degrading into shelfware. This role is distinct from pentesting — it works upstream, before vulnerabilities ship.

8. Required Skills & Certifications:

• Proven hands-on experience (3+ years) with the listed platforms or equivalents.
• Relevant industry certifications (e.g. vendor certs, OSCP, CISSP, GCIH, CCSP, depending on role).
• Strong scripting/automation skills (Python, Bash, PowerShell).
• Working knowledge of NIST CSF 2.0, ISO 27001, MITRE ATT&CK, and UAE IA Regulation.
• Excellent written and verbal communication — ability to brief both engineers and management.

9. Reporting Line:

Reports to the Principal Cybersecurity Architect. Day-to-day coordination with the Security Operations and Engineering teams.