Description
Senior Application Security Architect
Job Description:
The Senior Application Security Architect will consult with all relevant Information Technology (IT) teams on all matters relating to Application Security and will be responsible for the development, maintenance and continuous monitoring of application security architecture related controls.
This role is focused on people, process and technology to ensure Secure Software Development Life Cycle (SDLC) for a fast-paced IT application support and infrastructure teams.
The role requires a solid understanding of application security principles, best practices and a background working in a secure application development and coding environment within an enterprise.
Job Tasks:
- Build a very close working relationship with the Office of Infrastructure and the Office of Application Support under the Department of Information Technology (IT).
- Provide strong information security leadership and cross-functional/stakeholder communications.
- Develop and maintain up to date documentation related to Application Security including the development of secure coding policies, procedures and standards to ensure effective and efficient Secure Software Development Life Cycle (SDLC) processes, to include necessary information security checkpoints, code review (Whitebox) methodologies, etc.
- Manage training programs on secure code development best practices for developers.
- Identify information security requirements by evaluating business strategies and requirements; researching information security standards; conducting vulnerability and risk assessments; studying architecture/platform; identifying integration issues; preparing cost estimates.
- Plan and coordinate with internal teams on the design, integration, development, validation and implementation of specific policies, procedures and standards.
- Serve as Advisor to Office of Infrastructure and the Office of Application Support on:
- Evaluation of new security trends and technologies
- Assessment and acquisition of application security tools and technologies
- Vulnerability and penetration testing and gap remediation workflows
- Network and End-point forensics
- Incident response workflows
- Audit compliance reporting
- Data loss prevention
- Attend design and application architectural reviews and actively lead discussions from an information security standpoint.
- Participate an information security subject matter expert in the incident response program.
Minimum Experience & Qualifications:
- Minimum of 5 years in the following information security functional areas:
- Web and Mobile Application Security
- Dynamic Application Security Testing
- Static Application Security Testing
- Patch & Vulnerability Management
- Vulnerability & Penetration Testing
- Authentication and Authorization
- Identity and Access management
- Two Factor Authentication (2FA)
- Single Sign On (SSO)
- Expertise in mitigating and addressing technology or application threat vectors.
- Expertise in building a defense-in-depth infrastructure security architecture that includes information security controls across multiple technology stacks.
- Experience with Web Application Firewalls, Runtime Application Self-Protection (RASP), Reverse Proxies and other protection technologies (network, operating system and application layers).
- Solid knowledge and understanding of securing all major web server environments and cloud platforms based on Open Web Application Security Project (OWASP) Top Ten recommendations.
- Demonstrated knowledge of regulatory and statutory compliance requirements across industries.
- Familiarity with dynamic web application vulnerability assessment tools and services.
- Familiarity with static code analysis tools and services.
- Familiarity with high level programming languages.
Job Requirements:
- Master's Degree combined with 15+ years of overall information security experience.
- Strong program development, program management and leadership skills including experience in developing, documenting and establishing holistic information security programs and best practices.
- Deep application development/software development knowledge, understanding of information security protocols and Application programming interfaces (APIs).
- Understanding of application threat modelling and Secure SDLC best practices.
- Strong documentation skills in writing application security policies, procedures and standards.
- Current information security management certifications such as CISSP, CISM and HISP.
- Curious, inquisitive, lifelong learner and self-starter.
- High level of personal integrity and trustworthiness.
- Great team player with good communication skills.