Application Security Specialist – Secure Programming / Threat Modeling (closed)
Serve as an Application Security Specialist for a Global Fortune 500 firm focused on implementing, developing, and owning the systems integration of security into the firm’s application development / software development lifecycles through Threat Modeling and SSDLC. While this role is focused on Application Security and Secure development, the role also encompasses other domains of IT Security and Operational Risk Management.
• You will own and drive the development of secure coding program including the development and maintenance of policies, standards and best practices.
• Liaise with the wider Information Security group to ensure consistency and alignment with broader information security strategy.
• Actively manage the security activities associated with Secure Software Development to address existing and evolving risks and threats appropriately.
• Act as Security Applications Architect and SME, providing consulting solutions and support to application development teams.
• Work closely with development teams to remediate application vulnerabilities detected through security scanning tools.
• Liaise with relevant stake-holders within the Technology group and business units to ensure that security awareness and issues are communicated effectively.
• Carry out risk assessments and/or threat modeling to articulate the levels and types of security controls appropriate application/product initiatives.
• Introduce Security Patterns and perform source code reviews to ensure Secure software development.
• Research, initiate and drive the evaluation of tools/technologies/processes to maintain and enhance the security of applications/software produced.
• Will create simple and usable artifacts to guide development and testing teams.
• Manage application penetration tests.
• Provide and/or organize appropriate application security training and awareness for technical and non-technical staff.
• University degree in Information Security or similar.
• Requires 2-4 years of Applications Security Architecture experience with a good understanding of Threat Modeling, Security Patterns and Security Methodologies (e.g. STRIDE, OCTAVE, DREAD, OSSTMM).
• Relevant professional qualifications / certifications (CISSP, CISM, CISA, CSSLP, SANS, CHECK, CREST).
• Good understanding of Information Security standards, frameworks and best practice (e.g. ISO 2700x, OWASP, ITIL, CoBIT).
• Must have previous and/or current “up the ranks” Applications Development experience in developing software using some of the following areas: C++, Java, C#, PHP, Perl, AJAX, SQL, SOAP, WCF, ws-*, REST, custom APIs, or SAML.
• Good understanding and awareness of documentation required as part of the secure software development lifecycle.
• Excellent communication skills (written and verbal) and able to articulate key messages to a range of audiences.
- can effectively discuss security challenges with developers and testers
- Experience of at least one code security review tool e.g. Fortify SCA.
- Can demonstrate ability to subjectively identify and rationalize information security flaws in code.
• Is able to offer remediation and solutions to problems created by insecure code.
• Is able to work with agile development groups and their delivery deadlines
• Ability to lead and influence change