IT Application Security Architect

Job Description

• The IT Application Security Architect (ITASA) is an experienced person who will work with IT to support business units across the enterprise using various technologies.
• As a senior member of the IT team, the ITASA's purpose is to help ensure the security, confidentiality, integrity, and availability of the client's ecosystem.
• You can succeed by working closely and over-communicating with the client's project teams across the agile train, business groups, and the IT security teams.
• It is the ITASA's responsibility to ensure effective remediation or controls around findings in web applications and data for the client's initiatives.
• The ITASA will need the ability to be efficient working alone across multiple application and network teams.
• All ITASA's will, under the guidance of a Lead Application Security person, be responsible for actively reviewing and following existing security policies, procedures, and standards, as they relate to application security.
• As an ITASA, you will need to cultivate a culture of security awareness and continued education of personnel to ensure security policies are consistently adhered to.
• The application security team will work with the leading project individuals to identify, assess, remediate, or control risks related to application security.
• You will need to conduct individual security code reviews, pipeline automation, and scripting of security tools as is necessary for existing system architecture.
• You must have a solid understanding of security protocols, cryptography, authentication, authorization, and general application security requirements.
• As an ITASA you will work with Lead Application Security personnel to evaluate, recommend, design, and implement application security solutions increasing the client's application security posture and reducing application threat surfaces.
• You will need excellent written and verbal communication skills along with business acumen and an enterprise outlook to interact with a broad cross-section of personnel explaining and enforcing security measures.
• The ITASA may be expected to engage with third-party vendors for tools to evaluate, improve and automate daily processes for the security team.
• Each ITASA will perform tasks in support of the current IT Security Roadmap and may be responsible for the intake, development, assessment, and management of new or existing tools.

• IT Application Security Architect must have experience with auditing applications and system architectures.
• A minimum of 10+ years of Microsoft enterprise full-stack web development.
• Continuous learning on the job to keep up with a fast-paced ever-changing field.
• Experience in information and IT risk management with a focus on security, performance, and reliability.
• Knowledge of information systems and current industry security standards and practices.
• Familiarity with two or more: OWASP, SANS, NIST, ISO27001, and/or COBIT 5.
• General knowledge of security aspects across these areas:
• Database security.
• Mobile application security.
• Enterprise user directory services.
• System authentication and authorization.
• Application encryption key management.
• Web server configuration and hardening.
• Azure SaaS/PaaS/IaaS security and design.
• Auditing of information security subject areas.
• Networking segmentation, systems, models, and processes.
• Ability to read and understand code (.Net C#, JavaScript, NodeJS, HTML, CSS, React)
• Minimum 3+ years of code review experience.
• Minimum 5+ years C# development.
• Minimum 2+ years of NodeJS experience.
• Minimum 2+ years scripting language (PowerShell, Python)
• Minimum 1+ years of React experience.
• Minimum 2+ years experience with Azure, including Infrastructure as Code.

• Bachelor's degree
• Demonstrated knowledge of web application penetration testing is preferred.
• Certification (SABSA, CISSP, etc.) in topics the address security directly is preferred.
• Familiarity with: OWASP, Checkmarks, Burp, ZAP, IBM AppScan.

• Security: principles, data access, encryption, HTTP modules/handlers.
• Database: Structure, DDL, SQL, data organization, and optimization, Entity Framework.
• Programming: JSON/XML patterns, development techniques to facilitate testing, advanced constructs.
• Web Services: SOAP/REST, Web API, Node why, when, how
• Web: HTTP(s) request/response messaging, ASP.Net/MVC/.Net Core
• GUI: JavaScript, jQuery, CSS, HTML5, Bootstrap, React
• Azure: subscriptions, resource groups, regions, app registrations, AKV, Managed Identities.