This job is closed
We regret to inform you that the job you were interested in has been closed. Although this specific position is no longer available, we encourage you to continue exploring other opportunities on our job board.
About the position
The Director of Application Security Engineering at S&P Global is a pivotal role focused on safeguarding the integrity of applications and services within the S&P Ratings technology platforms. This position is designed for a senior security engineer who will lead a team dedicated to the development and implementation of security architecture and engineering best practices. The primary mission of the S&P Ratings Security team is to protect clients and users from modern security threats by creating innovative solutions to address significant security challenges. The successful candidate will be responsible for providing security engineering and architecture consultation, particularly in the context of GenAI applications, ensuring that security is integrated into the software development lifecycle (SDLC). In this role, the Director will collaborate with various teams, including software development, quality assurance (QA), site reliability engineering (SRE), and operations, to identify technical risks at both the component and system levels. This includes evaluating critical failure points, determining necessary security controls, and prioritizing these controls in alignment with application development timelines. The Director will also be instrumental in driving the Secure SDLC roadmap and enhancing the security engineering program, developing security tooling, and mentoring team members. This position requires a blend of managerial and technical skills, as the Director will provide architectural guidance on best practices, drive the specification and realization of security architecture, and assist in the development and maintenance of application security strategies, including those related to GenAI. The role also involves performing threat modeling, secure code reviews, and secure design reviews for high-risk applications, as well as conducting vulnerability research and serving as a technical advisor for new technologies and applications. The Director will guide development and SRE teams in building secure cloud-native applications, ensuring that security best practices are incorporated throughout the development process. This position is critical in maintaining the security posture of S&P Ratings and ensuring that applications are developed with security as a foundational element.
Responsibilities
- Lead a team of security engineers and analysts to provide security engineering and architecture consultation.
- Identify component and system level technical risks and evaluate critical failure points.
- Determine technical security controls to mitigate risks and prioritize them with application development timelines.
- Drive the Secure SDLC roadmap and Cloud security architecture.
- Develop, implement, and maintain application security and GenAI security strategy.
- Perform threat modeling, secure code reviews, and secure design reviews for high-risk applications.
- Conduct vulnerability research and serve as a technical security/risk advisor for new technologies/applications.
- Develop strategies to automate security testing using various scripting and open-source tools.
- Assist developers in remediating vulnerability findings with detailed guidance.
- Coach development teams on security disciplines and provide training on software security best practices.
- Consult on security incident response processes and application penetration tests.
- Guide development and SRE teams in building secure Cloud Native applications.
Requirements
- Bachelor's degree in Computer Science or a related field, or relevant work experience.
- 6 or more years of progressive experience in security engineering roles.
- Experience managing security engineering teams.
- Demonstrated expertise in Application Security, Web services security, and GenAI/LLM security.
- Experience with threat modeling, risk analysis, and control design.
- Experience architecting and leading security for Cloud native applications.
- In-depth knowledge of network security, authentication, and authorization.
- Advanced understanding of vulnerability exploitation chaining and remediation.
- Expertise in product/application security architecture, including SOA, network security, and web services.
- Skills in security audit, vulnerability assessment, and packet analysis.
- Knowledge of TCP/IP stack, encryption, TLS, DTLS, ECC, and PKI/Certificates.
- Experience with Identity & Access Management (AD/LDAP).
Nice-to-haves
- Programming expertise in Java and Python, with exposure to Agile SDLC processes.
- Security forensic analysis skills.
- Knowledge of AWS cloud architecture and virtualization technologies like Containers, EKS, Kubernetes, and VMware.
- Experience with automation tools associated with DevOps and CI/CD pipelines.
- Familiarity with SAST/DAST/SCA tools like Fortify and Whitesource.
- Database knowledge including Postgres, Oracle, Databricks, and Snowflake.
- Familiarity with Secure SDLC frameworks such as NIST SSDF and OpenSAMM/BSIMM.
- Experience with AI technologies and services, including security of Gen AI models.
Benefits
- Health care coverage designed for the mind and body.
- Generous time off to keep employees energized.
- Access to resources for continuous learning and career growth.
- Competitive pay and retirement planning options.
- Family-friendly perks and benefits for partners and children.
- Retail discounts and referral incentive awards.
