Application Security Architect

Application Security Architect

Job Description

Our client, a global financial institution, is looking for an experienced Application Security Architect. They are looking for a passionate individual who thrives in a teams that rapidly ideates, implements and iterates, in order to and produce the best product possible result fortheir clients. They are building a new, cloud-native product from the ground up – join them on their journey and influence the architecture and implementation they use to develop a highly-scalable, revenue producing platform.

Role Responsibilities:

• Partner with engineers to co-design / architect cloud products with applicable security controls
• Work with the team to develop and implement platform level controls, templates and design patterns that by default enforce baseline security requirements
• Perform software architecture design and manual code/configuration reviews
• Serve as a technical security champion for the engineers and architects
• Review security assessment reports from pentest and code review engagements, help the team with risk rationalization, and develop and implement mitigation strategies
• Liaison with the firmwide TechRisk team to perform deep dive technical assessments and manage our risk portfolio

Technical Experience and Qualifications Required:

• 5+ years’ experience in one or more technical roles performing Threat Modeling or Secure Design Reviews
• Knowledge of most common Application Security vulnerabilities – e.g., OWASP Top 10 and cloud security gaps
• Familiarity with Security standards such as OWASP Testing Guide, OWASP ASVS, NIST and Sans top 20
• Common security controls and how they apply to different designs and systems including but not limited to secure authentication, access controls, encryption (at rest/ in transit), IDS/IPS, DLP, malware etc.
• Experience in application vulnerability assessment and penetration testing of web, thick-client, or mobile applications
• Working knowledge of application security tools such as fuzzers, scanners, debuggers, decompilers, proxies, simulators, etc.
• Familiarity with modern and common web stack technologies (e.g. HTTP, HTML5, AJAX, REST, etc.) and platforms (e.g. DropWizard, Springboot, React, Tomcat, .Net, MS SQL, MongoDB, etc.)
• Familiarity with AWS cloud services, recommended security best practices and secure deployment patterns
• Understanding of core cryptography concepts (Encryption, Hashing, HMAC, digital signatures) and how they are applied and attacked in web applications (e.g. TLS attacks, CBC attacks)
• Ability to analyze protocols (OAuth, SAML, OIDC), flows and interactions in a system design to evaluate gaps
• Ability to identify threats, abuse cases, and gaps in the design before it is implemented.
• Good written and oral communication to be able to articulate risks to both technical stakeholders and management

Nice to have qualifications:

• Experience in crafting custom proof of concept application exploits using testing tools/frameworks or scripting exploits in Python, Pearl, JavaScript, Shell scripting, etc.
• Knowledge of network, application and operating system security risks
• MS. in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security
• Experience or trainings in related disciplines e.g. computer science, computer security, software development, system design, open source frameworks, encryption schemes, etc.

Apply for this role

All fields marked with * are required.