Info Security Analyst

The successful Application Security Engineer plays a chief role in keeping PepsiCo’s Global Portfolio
of web, mobile, and brand sites protected from constantly evolving cyber threats by:

• Performing vulnerability assessments on PepsiCo internal and 3rd party developed source

code and systems.

• Serving internal customers by advising and providing expert guidance on remediation

strategies for identified vulnerabilities.

• Partnering with PepsiCo’s bug bounty and external threat research partners to communicate

externally identified vulnerabilities and ensure remediation outcomes.

• Working across PepsiCo’s Global DevSecOps and Information Security organizations to

scale Application Security through expanding our toolsets, automation capabilities, and
integration into PepsiCo’s CI/CD pipeline.

• Proposing change and process improvements to the team by challenging the status quo

through new ideas and novel concepts.

• COVID-19 vaccination is a condition of employment for this role. Please note that all such company vaccine requirements provide the opportunity to request an approved accommodation or exemption under applicable law

Key Responsibilities:

• Execute SAST, DAST, and SCA assessments as part of the Application Security Teams

daily operations.

• Participate in digesting, translating, and communicating vulnerabilities discovered by bug

bounty and external research partner sources.

• Generate and communicate reports on assessments findings.
• Summarize and advise on remediation strategies for identified vulnerabilities.
• Translate application vulnerability risk into business risk and work with internal customers to

communicate risk.

• Scale Application Security to support PepsiCo’s Global Portfolio of applications through

automation and integration into CI/CD pipelines
Support other Information Security teams by advising on security related incidents where
needed.

#LI-USA

• Bachelor’s degree in Computer Science, Software Development, Information Security, a

related discipline, or equivalent working experience.

• 3 years’ experience in agile full-stack web or mobile application development is strongly

preferred.

• Programming experience with one or more of the following

o Java/J2EE, .NET, Python, JavaScript, etc.

• Understanding of the OWASP Top 10.
• Experience with Application Security Vulnerability Testing Tools (Fortify, Veracode,

Synopsys, WhiteSource, Snyk, etc.).

• Experience with Application Security Vulnerability Management Tools (ServiceNow,

DefectDojo, PlexTrac, ThreadFix, etc.).

• Knowledge of Threat Modeling and Threat Intelligence Tools (RiskIQ, RecordedFuture,

RiskRecon, CrowdStrike, ZeroFOX, Trellix, etc.).

#LI-USA