Senior Security Engineer

The Senior Security Engineer is responsible for providing input into design & implementation; validating and supporting of security systems and methodologies across the product lines.  The security engineer will communicate the security roadmap to customers and then help develop and implement a strategy to fulfill that roadmap with development and test teams. The security engineer must also be prepared to design and build security devices and tools required for validating products.

 In addition, the Senior Security Engineer will analyze and recommend customer security requirements to:

• Product Management, Sales, Pre-sales and Services Delivery;
• The Development department by directing and influencing the technology, design and implementation choices that are made; and
• Customers at financial institutions, particularly in their respective security departments.

RESPONSIBILITIES

• Architect, design, develop, and implement all security programs and measures to ensure the best possible security safeguards, and maintain the successful operation of the product line. Both new products, and existing currently supported products, should be covered by these security programs.
• Create and oversee the maintenance of a central repository for all security related information, including development standards, best practices, and compliance results and responses.  This repository should also house varying customer requirements and related product compliance status in order to stream line the compliance response process.
• Manage customer product security compliance responses, including interdependencies with Engineering, Sales teams and Pre-Sales Engineer teams, in order to meet customer reporting demands; may require travel.
• Design, develop and maintain security policies to address engineering response to newly exposed vulnerabilities in any shipping operating system or network hardware of the product line.
• Develop strategies and plans for proactive security incident response including:
• Technical investigations
• Operating system and network patching and testing procedures
• Response time service level requirements
• Internal and external notification procedures.
• Recommend security technologies, carry out feasibilities (hands-on) with the development engineers to implement the technologies, and ensure that implementation is correct.
• Analyze, recommend, and test security technologies such as firewalls, IDS (network and server), NAC, AAA, certificates, and PKI.
• Lead quality engineering security team. 
• Help identify and remediate security processes to prevent the recurrence of identified product security issues.
• Design and build security devices and tools.

EXPERIENCE/SKILLS:

The candidate must have at least 8 years of day-to-day, hands-on security experience, and at least 10 years of I.T. industry experience that includes all of the following: software design and development, and systems quality assurance, database design and implementation, telecommunications, network design and administration, systems administration, and project management.

Must have:

• Detailed knowledge of security concepts (i.e. architecture, models, design, implementation, validation, management, best practices).
• Detailed knowledge of Linux, Solaris and Windows environments and appropriate hardening.
• Demonstrated experience in all aspects of the secure software development lifecycle.
• Detailed knowledge of networking concepts, protocols, technologies, and best practices, including: IDS, NAC, and firewalls.
• Detailed knowledge of cryptographic concepts, technologies, and best practices.
• Detailed knowledge of identity management, authentication, authorization, accounting, and audit (IA4) concepts, implementation, and best practices.
• Detailed knowledge of and experience implementing MAC and RBAC access control systems in a multi-factor authentication environment.
• Detailed knowledge of and experience in application security, secure development practices, and software security quality assurance using tools such as IBM AppScan, & Codenomicon.
• Must have extensive vulnerability assessment, penetration testing, and ethical hacking experience.
• Strong knowledge of web applications. 
• Strong knowledge of VoIP communications, and protocols including: SIP, RTP, RTCP and equivalent secured protocols.
• Strong knowledge of BCP, DR, and incident response (IR); demonstrated ability to plan, validate, and implement BCP, DR, and IR crisis management plans.
• Strong working knowledge of security tools, including:
  • intelligence and recognizance;
  • packet capture, crafting, replay and injection;
  • network, operating system, and application vulnerability assessment; and
  • Penetration testing.

Highly Desirable:

• Experience with integrated authentication, authorization, and directory services in a heterogeneous O/S environment.
• A strong working knowledge of the some subset of the following programming languages and supporting technologies: C, C++, Flash, Flex/Action Script, Java, JSP, Java Servlets, JVM, JNI, jlog, PHP, MySQL, Informix, OCCAS, SQL Server, shell scripting, Python, Perl, Apache, Tomcat, mod_security, GreenSQL, Linux kernel, Linux socket API, Linux system API.
• SOA experience, including: XML, SOAP, WSDL, UDDI, and REST.
• Kerberos expertise.

Other:

• Must demonstrate effective interpersonal skills.
• Ability to lead a team of offshore engineers
• Must have strong written, verbal, and presentation communication skills.
• Must be able to respond to frequent pressure to meet deadlines when work speed and sustained accuracy are paramount.

REQUIRED EDUCATION AND CERTIFICATIONS

• B.S. Degree in Computer Science or Engineering, Information Systems, Systems Engineering, or in a physical science or mathematics is mandatory.
• M.S. Degree in Computer Science or equivalent is desired. An M.S. in Information Assurance or Information Security from an NSA/NIATEC accredited institution is very highly desired.
• Current GIAC/GPEN or CEH/LPT certifications, or at least 5 years of proven application and network penetration testing experience is mandatory.  CurrentCHECK/CREST/TIGER, or OSCP certifications may be acceptable substitute certifications under some circumstances.
• Current CCSP certification, or equivalent network security and hardening experience, is a plus.
• Current CCIE certification is a plus.