Sr Security Engineer - NY

About The Position

Requirements

• 8+ years in application security / platform security, with deep experience in mobile security (iOS/Android, WebView/hybrid apps).
• Strong knowledge of enterprise IAM patterns (SSO, OIDC/SAML concepts, MFA integration, token/session management) and secure auth flows.
• Hands-on expertise with device security: secure enclave/keystore/keychain, biometric gating patterns, cryptographic key management, certificate pinning, secure storage.
• Experience securing offline-first apps: encrypted local data stores, sync strategies, conflict handling, secure caching, remote wipe, and data minimization.
• Strong understanding of API security: OAuth2/JWT, mTLS, zero trust patterns, secrets management, least privilege, rate limiting, and secure logging.
• Practical experience securing LLM/AI systems: data governance, PII controls, prompt injection defenses, evaluation/monitoring, and audit requirements.
• Ability to lead threat modeling and security reviews and to influence architecture decisions across teams.

Nice To Haves

• Experience in financial services / investment banking environments (conflict management, audit trails, restricted data controls).
• Familiarity with UEM controls (e.g., BlackBerry UEM) and enterprise mobile governance.
• Experience with Glassbox or comparable analytics tooling from a privacy/security perspective.

Responsibilities

• Offline Auth/MFA Architecture: Design and implement secure offline authentication and authorization aligned to Citi IAM (EPF/SSO/AD + MFA/BIND ID), including token lifecycle, biometric unlock patterns, recovery flows, and policy compliance.
• Mobile Security Engineering: Secure the hybrid shell + WebView model, define secure bridging patterns for native modules, harden the in-house wrapper, and ensure safe storage and key management on device.
• Offline Data Protection: Define and enforce encryption and data handling for offline use (IndexedDB + BlackBerry UEM constraints), including data minimization, retention, wipe policies, and secure sync patterns.
• API & Integration Security: Establish secure patterns for headless CRM read/write, service-to-service auth, least-privilege access, and secure data contracts for clients/deals/coverage/calls/notes.
• AI/LLM Security & Governance: Implement guardrails for agentic workflows—PII handling, redaction, prompt/data injection defenses, auditability, output controls, and secure logging/monitoring.
• Threat Modeling & Reviews: Lead threat modeling for mobile/offline/AI workflows, conduct security design reviews, and drive remediation across engineering teams.
• Security Testing & Compliance Readiness: Define security test strategy (SAST/DAST, mobile app pentest readiness, dependency/secret scanning), and support InfoSec review cycles and regulatory expectations.
• Incident Response & Observability: Establish security telemetry, anomaly detection, and incident response playbooks for mobile apps, backend services, and AI endpoints.

Benefits

• Medical, vision, and dental benefits
• 401k retirement plan
• variable pay/incentives
• paid time off
• paid holidays are available for full time employees