Manager, Application Security

This position can be remote in NJ PA NY CT VA DCThe Manager of Application Security will be a key member of the Information Security group responsible for enhancing and managing the application security program. This program is designed to ensure applications meet overall security goals to protect customer and company data. This individual will lead a team of application security specialists to evaluate the security of in-house and third-party developed software, raise awareness of secure development practices, help mitigate threats and vulnerabilities, and develop standards related to software security. The Application Security Manager will be a hands-on and highly technical leader and will collaborate with development teams and product teams to ensure that security adds value and enables the SDLC.

• Lead a team of Security Analysts who perform application security reviews (SAST/DAST) and recommend security solutions to meet current and future needs for The Firm s applications.
• Work with Development, DevOps, and other Information Security teams to identify, develop, and maintain automated security and compliance capabilities in support of DevSecOps processes. This includes planning, designing, developing, testing and releasing of security implementations within applications.
• Provide leadership and strategy on all matters related to identifying and remediation of application vulnerabilities earlier in the SDLC lifecycle.
• Drive the development and implementation of application security standards that effectively reduce security risks before product releases.
• Engages with teams across technology and digital products to understand their needs to build security into technologies and solutions.
• Demonstrate subject matter expertise (SME) with common web application vulnerabilities, such as the OWASP Top 10 and business logic flaws; ability to explain all vulnerabilities and weaknesses and discuss effective defensive techniques.
• Manage third-party penetration assessments and ensure that findings are appropriately prioritized and tracked to resolution.
• Manage internal security champion and developer security training programs.
• Responsible for mitigating threats and vulnerabilities through a variety of security testing (1) static testing (scan codes), (2) dynamic security analysis (attacking application during UAT stage), and (3) penetrating testing (attacking the application in the full ecosystem).
• Evangelize application security and security testing across the enterprise.
• Effectively communicate vulnerability risks and remediation methods to business owners, developers, and up to the executive level.
• Manage, develop and train staff; develop and monitor goals; conduct annual performance reviews, and administers salaries for the staff.
• The information above is intended to describe the general nature of the work being performed by each incumbent assigned to this position. This job description is not designed to be an exhaustive list of all responsibilities, duties, and skills required of each incumbent.

• BA/BS degree preferred or relevant work experience required in lieu of degree.
• 10 years of application security or application development experience, or a Masters Degree and 7 years experience.
• Minimum of 2 years of management or Team Lead experience

• Certified in at least one or more of the following certifications: CISSP, SANS Certifications, OCSP, Programming Certifications or similar

• Strong knowledge of one or more of the following programming languages: Java, JavaScript, C#, C, C
• Strong knowledge of automation tools such as Jenkins, Ansible, Chef, and Puppet
• Experience in using scripting languages e.g. Python, PowerShell, Ruby to automate tasks and manipulate data
• Experience assessing and securing open-sourced software components
• Solid understanding of applied cryptography, web security, TLS/SSL, web authentication protocols such as OAuth/OpenID Connect/SAML
• Experience with security tools like Burp Suite, OWASP ZAP, Fortify, CheckMarx, AppScan