Associate Principal, Application Security

A prestigious financial services company is on the search for an Associate Principal, Application Security. This role is revolved around application security testing and utilizing scanning tools. They will work with do source code reviews and manual penetration assessments. This person needs experience with Python, Java, Burp Suite, Kali, Linux, and automated code scanning. Responsibilities:

• Perform application security testing utilizing security scanning tools, manual source code reviews, and manual penetration assessments
• Completing manual application security penetration testing including scoping and design of assessment
• Collate vulnerabilities from assessments into the system of record for all application vulnerabilities
• Review automated scanning results and communicate underlying risks to development teams.
• Lead IT/Security code review meetings to eliminate false positives and encourage collaboration between Security and IT development teams
• Review code changes to determine whether security testing will be required
• Develop test strategies for automated and manual testing of applications.
• Collaborate with internal security teams and external developer teams to ensure applications and the processes to build applications are compliant with our operating policies and procedures and identifying and remediating vulnerabilities in those applications and processes.
• Familiarize themselves with development tools such as GitHub, Jenkins, Artifactory, Harness, Terraform, and others to support the development pipeline from a security perspective and enhance security tool scanning capabilities.
• Provide input into training on security best practices for application developers, architects and testers and coordinate the execution of training plans.
• Work with development team and Q/A to create development lifecycle documentation, provides integrated systems planning which will enhance current systems and support corporate, business and system goals.
• Identify process improvements and work with Security stakeholders to get buy in
• Implement automation to streamline the daily and ongoing tasks for the team CI/CD pipeline
• Develop and maintain current security tool containers in the pipeline, including bug and feature enhancements
• Develop and maintain new security tool containers
• Troubleshoot issues in the pipeline
• Documentation and Process Improvements
• Develop security engineering documentation
• Suggest ongoing improvements of security engineering processes
• Gather evidence of security testing processes for audits
• Develop board-level reporting and metrics on an ongoing basis, fulfilling ad-hoc reporting requests when needed.
• Coordinate development and periodic review of Security controls, policies and procedures in close coordination with Security managers.
• Execute self-testing of Security controls and processes.
• Security Engineering and Architecture
• Conduct security review of technical architecture designs of systems and application.
• Advise on organization-wide projects from an application security perspective.
• Coordinate execution of continuous testing roadmap exercises.
• Assist in the remediation of security engineering vulnerability findings.
• Participate in the change management process, able to evaluate the security impact, suggest controls and make conclusions to approve or reject the change requests.

• Advanced understanding of the OWASP Secure Coding Practices and OWASP Top 10
• Familiarity with Reg SCI
• Experience with network architecture
• 3-5 years experience in Security or equivalent combination of related experience or training
• Ability to act as a liaison between security and the development, IT and QA teams.
• General knowledge of scripting languages (Python, etc.)
• Experience performing application security manual penetration tests and familiarity with pentesting tools (e.g., Burp Suite, Kali Linux, Postman)
• Knowledge of security architecture design and principles including confidentiality, integrity and availability.
• Experience with using or reviewing output of automated code scanning tools and development pipeline tools
• Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
• Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
• Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, NS Active Directory and LDAP)
• General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.