Moody’s IT Risk Management is looking for a Senior Application Security Analyst who will be aligned to the IT Risk function to support the Secure SDLC program and Application Security Architecture. This is a position requiring a background in application development, application security design review, application vulnerability remediation, metrics-driven reporting practices, and solid communication and organization skills.
The ideal candidate is very motivated and willing to take on challenges, able to prioritize and manage multiple tasks and has the ability work independently and with minimal oversight. The candidate has a broad understanding of cybersecurity, and a deep understanding of application development practices and remediating application vulnerabilities, and is able to articulate complex information through reports, dashboards, and presentations that tell a story.
The Application Security Architecture program supports Moody’s Information Risk and Security team by identifying flaws in new application designs and planned application changes, working with application developers to architect solutions to security-related application challenges, providing detailed explanations and recommendations to application developers about vulnerability findings, and reporting key vulnerability remediation metrics and dashboards to Moody’s management.
The Moody’s Information Risk and Security team is globally responsible for helping the organization balance risk by aligning policies and procedures with Moody’s business and regulatory requirements. The team is responsible for the development, enforcement, and monitoring of security controls, policies and procedures, disaster recovery programs, GRC (Governance, Risk and Compliance) reporting, and the delivery of security services including the company’s Cyber Security program. Information Risk and Security management sets strategic direction for IT risk and security and aligns with stakeholders throughout the organization.
- The senior application security analyst will work with the various development teams to implement application security practices that meet Moody’s defined policies and standards for information security.
- The senior application security analyst must analyze information security systems/applications; make recommendations and develop security measures to protect information against unauthorized modification or loss.
- The senior application security analyst will serve as subject matter expert for best practices and security controls
- Efforts will include:
- Serving as a subject matter expert for security in application projects
- Driving secure application development practices and a secure development mentality
- Managing the application vulnerability assessment process and tools (SAST and DAST) focused on web, client-server, and mobile applications
- Identifying, communicating, and driving the resolution of vulnerabilities
- Developing and updatingsecurity patterns aligned with security requirements
- Identifying application security requirements for projects
- Providing reports to development management and business management on the status of vulnerability remediation for their applications
- Performing functional requirement reviews and technical design reviews
- Coordinating and collaborating with server infrastructure engineering, networkinfrastructure engineering, business application development, and database administration functions to ensure confidentiality, integrity, and availability of corporate infrastructure meets business demands
- Performing othersecurity-related projects that may be assigned according to skills
INFORISKTechnical Experience & Qualifications:
- Bachelor’s degree or greater in a technical or business discipline
- 4-6 years or more of experience, primarily in application development, information security, or a related field, preferably in the financial sector and/or supporting IT Risk or Information Security initiatives
- Experience and technical proficiency with modern application packaging, deployment, containerizing, bug tracking tools and other supporting tools (Jenkins, Maven, Docker, Kubernetes Jira, Rally, etc.)
- Experience and technical proficiency with modern source code management and software repository systems (Git/GitHub, Perforce, Subversion, Team Foundation Server, etc.)
- Experience and technical proficiency with developing applications specifically for AWS and Azure Cloud hosting environments
- Experience with Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) tools, and enterprise architecture tools
- Deep understanding of OWASP Top 10 and SANS Top 25 vulnerabilities
- Strong experience with data visualization concepts and tools
- Ability to analyze data using Excel including use of complex Excel macros / scripts for reporting purposes; some development experience is preferable
- Experience with Veracode (or other SAST/DAST tools), Jira, ServiceNow, and Splunk is preferable
- CISSP, GIAC, CISA, CISM, TOGAF certifications preferable
- Ability to work individually and as part of a team
- Strong written and oral communication skills
- Strong presentation skills; ability to adjust message and filter details based on audience (e.g. technical, business, management)