Manager Security Penetration Testing
Summary
Working closely with other members of the Security Services, IT Development Team and Quality Assurance teams, to lead application and software security initiatives, projects, and operations. Responsibilities include the development and implementation of security best practices in the software development life cycle (SDLC), guiding application teams in the development of secure applications, and integrating custom and commercial software with security infrastructure to support the confidentiality, integrity and availability of enterprise applications.
Ability to think with a security mindset. The successful candidate has a strong information security and technology background with in-depth knowledge of several key security practice areas to include access control; privileged access management; application security; identity and access management; data security and governance; network security; security architecture; mobile security and various cloud-based security strategies.
Primary Duties and Responsibilities:
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.
Conduct security review of technical architecture designs of systems and application.
Suggest security controls and practices to be integrated in the SDLC phases and participation in Security Assurance SDLC activities and toll gates.
Creates clear and concise reports of security analysis for SDLC artifacts and security review during change management process.
Collaborate and brainstorms with security assurance team on new information and security technologies in areas of application and application infrastructure components and propose ideas for new security service development
Develop, implement and execute control activities to ensure that security products, processes and procedures are working as intended; remediate any deficiencies detected; provide documentation and other artifacts.
Develop and collect metrics that measure the volume and trends of work activities and events within the security operations capability; provides regular reports to management.
Explores opportunities for updates to security assurance policies and standards
Coordinate development and periodic review of Security controls, policies and procedures in close coordination with Security managers.
Coordinate self-testing of Security controls and processes.
Coordinate execution of continuous testing roadmap exercises.
Assist in the remediation of security engineering vulnerability findings.
Manage the development of training on security best practices for application developers, architects and testers and coordinate the execution of training plans.
Work with development team and Q/A to create development lifecycle documentation, provides integrated systems planning which will enhance current systems and support corporate, business and system goals.
Participate in the change management process, able to evaluate the security impact, suggest controls and make conclusions to approve or reject the change requests.
Lead in designing penetration testing strategy and plan along with the testers.
Review reports of the testing and conduct security risk assessment of the findings.
Assist in risk prioritization of security vulnerabilities.
Conducts code scans using automated tools and risk rate the vulnerabilities according to the organization risk profile and mitigating controls.
Conduct security review of the baseline and proposed configuration changes to the baseline of devices and applications. Includes research on NVD, potential surface area for risk exposure and validation of controls.
Supervisory Responsibilities: Small Team
Qualifications:
The requirements listed are representative of the knowledge, skill, and/or ability required.
Highly motivated individual that assumes ownership of their projects
Must have a deeply inquisitive nature
Ability to act as a liaison between security and the development, IT and QA teams.
Strong desire and capacity to learn and support new technical applications
Exceptional verbal communication skills that include the ability to articulate ideas clearly and concisely
Excellent listening skills
Ability to facilitate meetings and conversations
Ability to write clear and concise documentation including technical specifications as well as business oriented approaches and process descriptions
Highly collaborative – comfortable sharing ideas and asking questions with all levels of staff
Ability to work both independently or on a team with tight timelines and minimal supervision
Security industry knowledge preferred.
Technical Skills:
Experience with Java programming including Java Servlets, JSP, J2EE, Spring.
Experience with J2EE applications and infrastructure including IBM WebSphere Application Server, WebSphere Portal, BEA Weblogic solutions and development.
Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
General knowledge of scripting languages (Python, etc.)
Knowledge of security architecture design and principles including confidentiality, integrity and availability.
Automated code scanning tools and development pipeline tools
Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, NS Active Directory and LDAP)
General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
Fundamental understanding of network and data communications technologies
Knowledge of security in Cloud concepts
Knowledge of Secure DevOps concepts
Education and/or Experience:
Bachelors degree in Computer Science, Management Information Systems, or related field or the equivalent combination of education and/or relevant experience
Two or more years of security assurance experience.
Experience with SDLC and working with business users, database analysts, system architects, etc., to identify and prioritize requirements.
Exposure to security architecture design through application development or knowledge of security concepts/best practices.
Previous work in development, architecture or quality assurance testing may be applicable to the position requirements.
Certificates or Licenses:
Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)