Vulnerability Research Technical Lead (SVP)

The Vulnerability Assessments (VA) team plays a key role within the Cyber Security Operations at Citi, providing security testing services to internal businesses, enabling delivery of secure solutions to Citi customers at a rapid pace. The Vulnerability Research Technical Lead position is a cross-functional role that will be responsible for leading multi-disciplinary security research projects, analysis and research of new vulnerabilities and exploits, and identification of systemic issues within mission critical Citi applications. The position reports directly to Application Security Testing Director. The successful candidate must be an individual who understands modern software development frameworks, complex enterprise architectures, and keeps up with the ever-evolving cyber security threat landscape. The individual must be comfortable talking to executives and business partners to share security findings, and drive remediation efforts, while liaising with the internal testing teams to manage competing priorities and tasks. Within this leadership role, the individual is expected to mentor team members, improve tools/processes, and set technical direction for application security testing services as a hands-on participant.

• Act as a subject matter expert in offensive information security
• Perform in-depth analysis and research of new vulnerabilities and exploits
• Develop proof of concepts to characterize exploitability and impact
• Have excellent communication (written and verbal) skills to report and articulate the results
• Conduct deep-dive vulnerability assessments on a variety of Citi applications (Web, Mobile, APIs, Desktop, and ATMs) to identify security vulnerabilities
• Drive remediation by outlining a defense-in-depth approach to business stakeholders and providing strategic solutions to developers on effective security controls and counter measures
• Contribute to the review of internal tools/processes and assist in identifying potential opportunities for improvement and automation

• Demonstrated experience in vulnerability discovery, analysis, and exploitation
• Comfortable with manual application penetration testing and threat modeling
• Strong understanding of a variety of application architectures (Microservices, REST APIs, SOA, MVC), software development methodologies (Agile, DevOps, Waterfall), programming/scripting languages (Java, .NET/C#, C/C++, Python, Ruby), development frameworks (Spring, Struts, AngularJS, NodeJS), and application infrastructure (web/app servers, middleware components, databases, public/private/hybrid cloud deployment, cloud service models - SaaS/PaaS/IaaS)
• Hands-on experience working with security tools such as BurpSuite Proxy, AppScan, WebInspect, SoapUI, Qualys, CheckMarx, BlackDuck, Nessus, NMAP
• Deep knowledge of common application security related industry standards such as OWASP Top 10, CWE/SANS Top 25
• Passion for security research, demonstrated by published research, active participation in community events, or contributions to the security community
• Excellent presentation skills as well as ability to be organized and detail-oriented
• Must have or be willing to obtain industry-accredited security certification such as: GWAPT, GPEN, GXPN, OSCP, OSWE, CREST, CISSP, CISM
• Prior experience with application development and performing manual code review is a plus