* Must have OWASP Top 10
Information security program employs a top down and bottom up process to manage the information securityrisks to the Firm. The information security program leverages industry accepted guidelines of the International Standards Organization (ISO/IEC) 27001/27002 as well as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
A successful candidate will be an evangelist for the security program able to translate requirements and security concepts into language meaningful to various audiences, including business and technical leaders.
Working with various stakeholders to meet clear objectives and metrics, the candidate must be able to approach application security from the perspective of risk management, based on an in-depth understanding of the company?s application portfolio and their use in the business. They must possess strong leadership skills and be effective interacting with highly technical individuals while demonstrating the ability to influence decision-making processes at all levels of the organization.
As the owner of the application security program you will be responsible for:
? Improving and maintaining secure development standards and managing application security framework improvement projects
? Integrating security tools, standards and processes into the Software Development Life Cycle (SDLC)
? Producing metrics reporting the state of application security programs and performance of development teams against requirements
? Ensuring that developers and QA personnel are trained with the appropriate level of security knowledge to perform their daily activities
? Improving and supporting application security tool deployments including static analysis and runtime testing tools
? Performing manual security testing of applications and databases and standards gap analysis services to internal business and technology partners
? Providing security requirements for test-driven design
?Supporting Vendor Security activities to ensure 3rd-party software and development meets Western Asset security standards
? Holding 3rd-partys accountable for code quality
?Supporting the incident response and architecture review processes whenever application security expertise is needed
? Managing budgets and planning multi-year roadmaps
? Ability to positively influence the behavior of peers and build relationships withother teams
? Self-starter, ability to work independently with minimal supervision and as part of a team
Required skills for this position:
?Bachelor's Degree (or equivalent work experience) required
? An in-depth understanding of OWASP Top 10 is required
? Minimum 6years of experience in information security related positions
? Minimum 6years of application security work experience - familiar with common coding languages: JAVA, .Net, etc.
? Strong understanding of application frameworks and technologies including Software Development Life Cycle methodologies
? Familiarity withagile development processes and have experience integrating secure development practices
?Experience in describing application security coding concepts to personnel of both technical and non-technical backgrounds
? Information security certifications: GSSP-.NET, GSSP-Java, CISSP, OSCP, etc. are preferred
? Familiarity with a variety of development, testing, and vulnerability scanning tools, including but limited to: Eclipse, GIT, GCC, JIRA, Subversion, Maven, Jenkins, VeraCode, ClearQuest/Case, Silk, FindBugs, HP/Fortify SCA, IBM AppScan, and HP WebInspect, etc.
? Strong ability to explain vulnerabilities and weaknesses in OWASP Top 10, WASC TCv2, and CWE 25 to any audience, and discuss effective defensive techniques
?Experiencewith Web, Java, .NET, and Python development
?Experience promoting Continuous Delivery and a DevSecOps pipeline
?ExperiencewithDocker and Containerization
? Strong scripting skills is highly desirable
? Familiarity with industry standards and regulations including FFIEC, SOX, and ISO27001 is desired
ACADEMIC QUALIFICATIONS (MINIMUM REQUIREMENTS):
Bachelor's Degree (or equivalent work experience) required.