Application Security Lead
ABOUT THE TEAM
The Information Security department is responsible for setting enterprise security policies and standards that are designed to protect the confidentiality, integrity, and availability of Morningstar information. The security team offers guidance and technical expertise in areas like application security, infrastructure and cloud security, policies and procedures, disaster recovery and compliance/regulation. We analyze emerging security threats and conduct risk and vulnerability assessments to ensure that our information remains secure.
ABOUT THE ROLE
The Application Security Lead is responsible for the Application Security Program for all of Morningstar’s products globally. This includes the setting of global Application Security standards and processes, implementing appropriate security controls and tools, and continuously improving the overall program.
Morningstar is currently conducting a major migration to leverage AWS for our products and the Application Security Lead will have the opportunity to shape Morningstar’s Application Security Program as teams are migrating to the cloud and shifting towards a more DevSecOps mentality.
The position reports directly to the CISO and is based in our Chicago office.
Job Responsibilities
• Lead and improve Morningstar’s global application security program.
• Define application security standards and processes for all of Morningstar products.
• Improve security standards, processes, and tooling to support Morningstar’s cloud migration and “shift left” of security within the development lifecycle.
• Collaborate with development teams and security champions across the organization to architect secure products
• Contribute to secure reference architectures and patterns for all product teams to leverage
• Develop, maintain, and communicate future and current security architecture strategies and models
• Conduct risk assessments, threat modeling and information security reviews on Morningstar systems, applications, and platforms
• Work directly with internal business units to communicate risk, provide security remediation advice, and deliver training as needed.
• Document secure coding guidelines and run training programs to assist internal development personnel
• Provide application security expertise to support the incident response process.
• Work with your direct reports and provide development opportunities and insightful coaching.
Qualifications
• A bachelor’s degree and 6+ years’ experience in a development or software security / penetration testing role, or equivalent experience.
• Ability to contribute and execute the strategic direction for the application security program.
• Ability to understand business requirements and architect security solutions accordingly.
• Excellent communication skills with the ability to translate complex technical topics to non-technical audiences in an effective manner
• A strong understanding of software development, architecture, and application security
• A strong understanding of application security best practices and how to build secure software
• Experience architecting and deploying applications securely in cloud environments, ideally AWS
• Strong understanding of common authentication models and protocols (SAML, OAuth, OpenID, etc.) preferred
• Exposure to Agile and DevOps
• Expert knowledge of application security vulnerabilities
• Experience developing and refining Secure SDLC processes
• Effective teamwork and leadership skills.
Nice to have
• Experience working with DAST, SAST, SCA, and similar tools
• Experience leading application/information security initiatives, or similar experience.
• Exposure to global teams working in different time zones.