Application Security Architect
As a Application Security Architect you will be a member of the IT Services Cyber Security team. You will build a collaborative working relationship with Corporate Information Security and Risk, IT Services, Enterprise Application Services, Business Unit application development and information security teams, and others to develop, promote, and implement sound application security strategies.
Performs duties as the primary resource for business units and functions not having internal application security resources. Is a consultative resource for business units and functions having internal application security resources.
Determines application security requirements by evaluating business strategies and requirements against established security standards, risk assessment methodology, and client requirements.
Researches information security standards; conducts application security and vulnerability analyses and risk assessments; researches threats and attack vectors that impact applications.
Performs reviews to identify potential security gaps within the integrated systems of application components, data access dynamics as well as transaction flow.
Plans, coordinates, and leads in the design, integration, development, validation and implementation of specific security policies, systems and services.
Mentors IT Services Cyber Security team and other IT staff members to enhance their knowledge of information security concepts, practices, tools, strategies, etc., and to improve the overall effectiveness of the information security program at.
Coordinates with IT Services Technical Training team and/or independently implements as well as manages training programs for developers on secure code development practices.
Ensure application security program aligns with industry frameworks such as the NIST Cyber Security Framework, ISO27001, FFIEC Cyber Security Framework, PCI, and others as applicable.
Leads security design as well as application architectural reviews.
Maintains documentation related to application security including the development of secure coding policies, procedures and standards, as well as ensures the Software Development Life Cycle (SDLC) used in entities includes necessary security checkpoints, code review methodologies, etc.
Collaborates with the IT Services Cyber Security team as well as business unit application security teams
Participates with incident response teams as a subject matter expert on application security.
Minimum of 3+ years in the following security functional areas: application security, authentication and authorization, identity and access management, dynamic application security testing, static application security testing, Middleware security, data security, and/or vulnerability management.
7-10 years development/engineering experience using programming and scripting languages such as .NET, C, C#, Perl, Python, Ruby, Java, SAML, web services APIs, etc.
Expertise in mitigating and addressing technology or application threat vectors
Experience with Web Application Firewalls, reverse proxies, and application security architecture.
Solid knowledge and understanding of securing all major web server environments as well as cloud platforms based on OWASP top ten recommendations
Knowledge of regulatory and statutory compliance requirements across industries
An Information Security and/or Web application security certification; e.g., SANS GWEB or GWAPT, CSSLP.
Must have superior communication (oral, written, presentation) and customer service skills.
Experience in developing design and architecture documents that are easily consumed and followed by SDLC teams
Expertise in building a defense in depth infrastructure security architecture that includes security controls across multiple technology stacks
Experience and knowledge of security/access control administration best practices associated with applications, servers and networks associated with Microsoft Active Directory, ADFS, SAML, etc.
Knowledge of Information Security compliance requirements including ISO 27001, NIST, PCI, HIPAA and GDPR
Bachelor’s degree from a four-year college or university or equivalent.