Sr Application Penetration Tester

About The Position

Requirements

• Bachelor's degree preferred; equivalent experience of 8 or more years of combined experience within information technology or information security is acceptable
• Qualified candidate will include 8+ years of broadly based progressive experience in information systems or information security environments or software engineering
• Qualified candidate must have experience or be well-versed in development technologies such as Java, Node, or .NET frameworks and have a thorough understanding of web application design and frameworks.
• Qualified candidate must be able to perform comprehensive static, dynamic, and manual application testing following industry-standard testing methodologies and has experience with one or more application review tools such as Snyk, Fortify, Checkmarx, Veracode, Burp Suite, Webinspect, Prisma Cloud, Prisma Compute, Cortex Cloud, CI/CD pipelines, or GitLab security scanners.
• Ability to be a technical lead for an enterprise-wide information security program and processes related to comprehensive application security testing, secure application design, application threat modeling, cloud security, SaaS security, and AI security.
• A strong drive to follow new and emerging technologies and application design patterns, assess potential risks, and proactively drive adoption and implementation of appropriate controls by development and infrastructure teams
• Must be able to use command line tools on Mac workstations.
• Ability to write shell scripts, python scripts, PowerShell scripts, CI/CD pipeline tasks and implement automation workflows using APIs
• Ability to build and sustain collaborative relationships with multiple constituencies
• Ability to translate information security terminology into terms understandable to diverse groups
• Excellent written and oral communication skills
• Excellent analytical and problem-solving skills
• Excellent facilitation and negotiation skills
• Ability to work independently
• Ability to multi-task and manage competing priorities
• Detail oriented
• Commitment to teamwork
• Ability to drive Continuous Improvement efforts

Nice To Haves

• Background in application security, application design patterns, DevSecOps practices, cloud security, DevSecOps practices, SaaS security, and AI security
• Strong technical knowledge of application development practices and ability to work closely with development and infrastructure teams
• Ability to threat model applications and emerging technologies
• Knowledge of existing AI design patterns, risks, and controls
• Knowledge of AI-related attacks and ability to pen test applications using AI technology
• Able to guide application and infrastructure teams on application security remediation
• Able to manage development projects with work intake, sprints, and planned releases
• Background in information security and or organizational communication within the financial services industry
• Understanding of federal and industry regulations associated with information security, such as Sarbanes-Oxley, HIPAA, GLBA, etc.
• Understanding of application security and cloud security frameworks and standards, such as NIST, CIS, CSA, OWASP, etc.
• Knowledge of systems architecture such as network and distributed systems, and or mainframe systems
• Knowledge of security services such as firewalls, IDS, vulnerability assessment, and authentication
• Professional certification (GWAPT, OSWE, BSCP, CISSP, or Google Professional Cloud Security Engineer) is desirable

Responsibilities

• Conducts comprehensive application security testing
• Participates in application threat modeling and tabletop exercises
• Coordinates the development, implementation, and administration of application security policies and standards
• Coordinates and oversees the work of junior team members in application security
• Development and other operational tasks to maintain the Application Security testing and DevSecOps program within the Cyber Application and Cloud Defense team
• Coordinates remediation prioritization and triage efforts for the application security program
• Coordinates the development, implementation, and promotion of effective information security awareness within the organization with the goal of making all employees, contractors, alliances, and other third parties security aware
• Monitors compliance with the organization's information security policies and standards among employees, contractors, alliances, and other third parties, facilitating remediation by referring problems to appropriate department managers for resolution
• Promotes the availability, integrity, and confidentiality of company data, regardless of medium
• Provides direction, guidance, and opinions regarding information security awareness, communication, policies, and standards
• Assists with the development of information security training to all employees, contractors, alliances, and other third parties, as required.
• Ensures sponsored training conforms to existing policies and standards
• Directs the timely dissemination of information security information
• Serves as an internal information security consultant and liaison to all areas of the organization as a daily activity
• Communicate the practical implications of information security decisions, issues, and plans to the organization
• Monitors advancements in information security methodologies and technologies
• Monitors changes in legislation standards that may affect information security
• Participates in enterprise-wide information security architecture discussions, as required
• Selects and or works with external vendors, outside consultants, and other third parties to improve information security, as required
• Attends conferences and training as required to maintain proficiency