Director, Application Security Engineering (Remote)

$125,000 - $220,000/Yr

S&P Global - Washington, DC

posted 4 months ago

Full-time - Senior
Remote - Washington, DC
10,001+ employees
Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services

About the position

The Director of Application Security Engineering at S&P Global is a senior-level position responsible for leading a team of security engineers and analysts to develop and implement security architecture and engineering best practices across S&P Ratings technology platforms. The primary mission of the S&P Ratings Security team is to protect clients and users from modern-day security threats by safeguarding systems and data through innovative solutions. This role requires a combination of managerial and technical capabilities, focusing on driving the Secure Software Development Life Cycle (SDLC) roadmap and Cloud security architecture. The successful candidate will work closely with software development, QA, SRE, and Operations teams to identify technical risks, evaluate critical failure points, and implement security controls to mitigate risks while aligning with application development timelines. In this role, the Director will provide architectural guidance on best practices regarding security in software development, shared services, and user interface design frameworks. They will also be responsible for developing, implementing, and maintaining application security and GenAI security strategies, performing threat modeling, secure code reviews, and secure design reviews for high-risk applications. The Director will serve as a technical security advisor for new technology and applications developed by S&P Ratings, guiding development and SRE teams in building secure Cloud Native applications by incorporating best practices and industry standards. This position also involves mentoring team members, developing security tooling, and consulting on security incident response processes. The Director will play a crucial role in ensuring that security is integrated into the development process and that the organization is prepared to respond to security incidents effectively. They will also be responsible for maintaining knowledge of current and emerging technologies related to security architectural solutions and developing repeatable application security patterns to ensure systems are placed within the relevant security zones based on the data they house and their purpose.

Responsibilities

  • Lead a team of security engineers and analysts to provide security engineering and architecture consultation.
  • Identify component and system level technical risks and evaluate critical failure points.
  • Determine technical security controls to mitigate risks and prioritize them with application development timelines.
  • Drive the Secure SDLC roadmap and Cloud security architecture.
  • Develop, implement, and maintain application security and GenAI security strategies.
  • Perform threat modeling, secure code reviews, and secure design reviews for high-risk applications.
  • Serve as a technical security/risk advisor for new technology/applications developed by S&P Ratings.
  • Develop strategies to automate security testing using various scripting and open source tools.
  • Assist developers in remediating vulnerability findings by providing line-by-line guidance.
  • Coach development teams on security disciplines like threat modeling and security code reviews.

Requirements

  • Bachelor's degree in Computer Science or a related field, or relevant work experience.
  • 6 or more years of progressive related experience in security engineering roles.
  • Experience managing security engineering teams.
  • Demonstrated subject matter expertise in application security, web services security, and GenAI/LLM security.
  • Experience with threat modeling, risk analysis, and control design.
  • In-depth knowledge of network security, authentication, and authorization.
  • Advanced understanding of vulnerability exploitation chaining and remediation.
  • Demonstrated expertise in product/application security architecture, including SOA, network security, and web services.
  • Knowledge of TCP/IP stack, encryption, TLS, DTLS, ECC, and PKI/certificates.
  • Experience with identity and access management (AD/LDAP).

Nice-to-haves

  • Programming expertise in Java and Python.
  • Knowledge of AWS cloud architecture and virtualization technologies such as Containers, EKS, Kubernetes, and VMware.
  • Experience with automation tools associated with DevOps and CI/CD pipelines.
  • Familiarity with SAST/DAST/SCA tools like Fortify and Whitesource.
  • Database knowledge including Postgres, Oracle, Databricks, and Snowflake.
  • Experience with secure SDLC frameworks such as NIST SSDF and OpenSAMM/BSIMM.
  • Familiarity with AI technologies and services, including security of Gen AI models.

Benefits

  • Continuing education credits
  • Health insurance
  • Referral program

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service