APPLICATION SECURITY RISK MANAGER

The Application Security Risk Manager (ASRM) is a multi-faceted security role responsible for the identification, tracking, mitigation, remediation, and verification of security vulnerabilities in software, systems, and application services. The successful candidate will combine experience in information security, software development, IT operations, and project management with strong interpersonal skills to ensure that security risks are effectively identified and appropriately addressed. Essential Job Functions: Security Risk Management: Monitor the security risk of the organization’s application portfolio. Ensure that all identified security exposures are properly handled. This includes issue awareness, risk determination, status tracking, and risk acceptance processing where appropriate. Proactively engage with security, software development, and product management stakeholders to ensure timely resolution of all security exposures. The ideal candidate will possess a combination of technical expertise in software and IT systems along with strong interpersonal skills to enable the clear and persuasive communication of risks with technical and business stakeholders as well as the effective validation of remediated vulnerabilities. Software and System Security Assessment: Oversee and actively support the security assessment of applications using tools and techniques such as source code analysis, web vulnerability scanning, and manual testing techniques. Project Management/Coordination: Coordinate departmental and cross-functional processes and projects. Champion application security program interests. Drive effective scheduling, risk and issue management, and change management for these initiatives. Participate in development and engineering efforts that include enhancements to tools, processes, and technologies in support of security operations, process and productivity improvements. Security Infrastructure Management: Develop, deploy, operate, maintain, support, and enhance security infrastructure and supporting tools such as Web Application Firewalls (WAFs), security assessment tools, issue tracking systems, and custom tools facilitating departmental processes. Other Job Functions: Participate in all aspects of technology security service delivery including business case development, requirements analysis, architecture, design, development, product/service selection & procurement, testing, technology infrastructure implementation and deployment, operational process and procedure documentation, training, and internal marketing of security services. Collaborate and coordinate with appropriate stakeholders throughout the organization to ensure that application security processes are appropriately engaged. Monitor policies and standards to ensure that application security interests are appropriately addressed. Essential Education/Experience Requirements: Bachelor’s degree in Computer Science, Information Systems or related discipline with at least five (5) years of related experience, or equivalent training and/or work experience; emphasis in application security a plus. Experience in coordinating or managing concurrent information technology projects. Strong communication, interpersonal, leadership, persuasion, and logical reasoning skills are a must. Candidate should have a demonstrated ability to foster productive working relationships with technical and business stakeholders across the organization while applying persistence and persuasion to ensure that risks are appropriately addressed. Candidate should have experience making and defending sound technical arguments that incorporate relevant technical and business considerations, as well as experience building consensus among stakeholders. Data analysis experience using SQL, Access, Excel, etc. Software development experience, preferably in Java/J2EE and/or C#/.NET. Candidate should expect to apply this expertise to understanding and communicating the risk of software security issues, to performing and coordinating small-scale software development in support of departmental systems supporting risk management and application security processes, and to performing ad hoc analysis of security, vulnerability, and risk data. Persuading and leadership qualities to set targets and accomplish goals. Other Desirable Experience: Experience evaluating the security of applications using both manual and automated techniques. Relevant tool experience may include code security scanners such as Fortify SCA, web vulnerability scanners such as HP WebInspect or IBM Rational AppScan, assessment support tools such as BurpSuite, Metasploit, Core Impact, etc. Security-related experience with the following: Web Application Firewalls, such as Imperva SecureSphere and Trustwave/Breach WebDefend. Design patterns and coding standards for secure software. Secure configuration and operation of Application Servers, Web Servers, Directory Servers, Media/Content Servers, Messaging Servers, Database Servers, and Integration Servers. Experience developing technical policies and standards, particularly as relates to information and technology security. Knowledge of and experience with built-in and add-on security capabilities of common application infrastructure components such as MS SQLServer, Oracle, MS IIS, iPlanet Directory, MS Active Directory, MQSeries, MSMQ, MS Exchange. Knowledge of general application security API's and protocols such as: MS CryptoAPI, Kerberos, SSL/TLS, SAML, S/MIME, and PKCS API's. End-to-end, hands-on experience in security solutions for complex enterprise architectures. Knowledge of cryptographic solutions for protection of data in use, in transit and at rest, such as: SSL/TLS, IPSec, format preserving encryption & sanitization (e.g. Voltage), etc. Knowledge of security considerations related to virtualization and cloud computing Formal experience leading/managing a small team is a plus. Financial services industry (Insurance, Banking, Investments) experience a plus. #J-18808-Ljbffr