Not to be confused with its closely related cybersecurity career peer, the penetration tester, a vulnerability analyst shares many of the same characteristics as its ethical hacking counterpart however whereas the pen tester’s goal-orientated services are called upon by clients who have already reached their desired security level, the vulnerability analyst’s services are required for clients who are aware of issues in their security and in need of help to identify and prioritise those issues. Thus a vulnerability analyst’s purpose is to compile a comprehensive list of vulnerabilities to guide an organisation as to the improvements it must make to its networks, applications and operating systems.
Vulnerability analyst roles are by nature very specialised, and often go by similar job distinctions including Vulnerability Assessment Analyst, Vulnerability Researcher, Cyber Assessor or Security Assessor beneath the blanket term of Security Consultant. The job of a vulnerability analyst is primarily to identify critical flaws in applications and systems that are potential targets for attack by hackers and cyber-criminals.
Network security audits, the use of automated tools such as Nessus to seek out vulnerabilities, manual testing techniques to obtain a comprehensive overview of the environment and reduce false negatives, in addition to the development, testing and modification of custom scripts and applications to support vulnerability testing all fall under the jurisdiction of a vulnerability analyst’s role. Plus the all-important written presentation of a comprehensive vulnerability assessment and subsequent education doled out to IT teams within your company on better security practice. Strong written and oral communication skills are thus integral to vulnerability analyst jobs, as in the majority of cybersecurity and related roles.
Candidates setting their sights on a career in vulnerability analysis should also be able to demonstrate out-the-box thinking and analytical thinking, as employers for these roles are looking for individuals who are curious, creative and somewhat abstract in how they approach their work. Those same individuals must apply precision and attention to detail when compiling their findings.
Vulnerability Analyst jobs are typically outsourced to external consultants specialising in the discipline with a plethora of technical skills required by professionals looking to undertake the role. Candidates applying to vulnerability analyst jobs in the UK should be able to demonstrate knowledge of Windows, UNIX and Linux operating systems, programming languages including C, C++, C#, Java, ASM, PHP and PERL, as well as network scanning tools such as Nessus, ACAS, RETINA and Gold Disk. Proven experience with computer hardware and software systems, web-based applications, security frameworks, tools and products, such as Fortify and Appscan, will also elevate a candidate’s profile in the job selection process.
Employers are not necessarily looking for candidates with a specific degree or Masters qualification, though typically computer science and cybersecurity degrees are useful foundations to break into the area. Practical work experience, usually between 2-3 years is really what employers are expecting to see depending on the level of job complexity. Certifications are certainly useful, with the CEH, CPT, CEPT, GPEN, OSCP, CISSP, GCIH and CVA certs which cover the areas of ethical hacking, penetration testing, information systems security, incident response and vulnerability assessment.
The majority of current listings for vulnerability analyst jobs in the UK are located in London and the South East with the average annual salary coming in at around £45,000.
You may also be interested in the below articles: