The Application Security Architect (ASA) is responsible for promoting, designing, and evaluating application security in all phases of the application life cycle, including the evaluation of security implications upon integration to the associated technology stack.
The ASA shall ensure that appropriate and effective security techniques and solutions are identified, implemented, and used. The Application Security Architect shall support relevant activities for enterprise security including:
* Fostering a culture of security consciousness across various software development teams
* Identify security design flaws and guiding development teams to address these security issues
* Develop initial proof of concept implementations of security solutions
* Perform research in software security and remain at the edge of the field
The Application Security Architect defines, enhances, and implements information security architecture, while ensuring consistent and effective information security administration procedures and processes.
The ASA facilitate the identification of relevant security threats (Threat Modeling and Misuse/Abuse cases) and the establishment of appropriate security control requirements and test plans for all application types, such as Custom Internal or Cloud hosted Web App/Services, Mobile Apps, Big Data solutions including ETL.
The Application Security Architect ensures:
* That software is architected and designed to avoid security-related logic flaws and other adverse security consequences.
* That 3rd party software is securely configured.
* Develops reference implementations for technology-specific security controls.
* Provide expert guidance to developers on the appropriate selection, design, implementation, and configuration of application security controls.
* Provide enterprise guidance through support of Technology Policies and Standards augmentation with security requirements.
* Provide Administrative support in setting up acquired security solutions, socializing to and onboarding clients of these services, monitoring related security events, and providing operational maintenance support of these services.
* Security Awareness Training: Design, develop and deliver presentations focused on raising awareness for crucial security relevant considerations and defensive programming.
The Ideal candidate must have:
* 7+ years of Software Development experience in a Microsoft .Net Environment
o Financial Industry IT experience is a plus
Solid understanding of one or more of the following:
* Delivery of secure, Internet-exposed, multi-tier, web-based systems.
* Hands-on experience with full SDL of large-scale, enterprise-wide IT development projects, such as requirements gathering, design patterns, secure coding, QC testing
Must have hands-on expertise on one or more of the following technologies:
* Professional, development with C#/.NET.
* Two (2) years of experience evaluating the security of applications using both manual and automated techniques. Relevant tool experience should include code security scanners such as Fortify SCA, web vulnerability scanners such as HP WebInspect or IBM Rational AppScan, assessment support tools such as BurpSuite, Metasploit, Core Impact, etc…
* One (1) year of experience with Cloud services integration, such as Amazon Web Services (AWS), and Salesforce/Force.com; with knowledge of security considerations for each deployment type (IaaS, PaaS, SaaS) and respective services (EC2, EMR, S3, Redshift, RDS, …)
* Experience providing software architecture security guidance, including developing application threat models and methodically protecting against business logic and design flaws that could introduce security vulnerabilities.
* Knowledge of security considerations related to physical vs. virtualized environments such as at-rest encryption considerations
* Authentication/Authorization systems such as MS ActiveDirectory, RSA ClearTrust, …
Data protection concepts for At-Rest, In-Transit and In-Use exposures, such as PKI/PKCS, masking/sanitization
* Crypto APIs such as RSA BSAFE, Bouncy Castle, CAPI,
* Secure configuration and operation of Application Servers, Web Servers, Directory Servers, Media/Content Servers, Messaging Servers, and Database Servers
* Application layer intrusion detection systems such as Sanctum AppShield, or Kavado.
Knowledge of and experience with built-in and add-on security capabilities of common application
Soft Skills:
* Ability to operate effectively in a highly fluid environment.
* Ability to establish strong working relationships with business, operations, and technology partners at all levels of the organization.
* Ability to rapidly ramp up in new business and technology areas.
* Self-starting, high energy level and exceptional work ethic.
* Strong verbal and written business and technical communication skills.
* Strong analytical skills to make strategic assessments
* Must demonstrate good judgment and pragmatic approach to delivering software that optimizes architecture activities across company needs, business constraints and technological realities
* Motivated, self-directed, highly proactive attitude
* Should have participated in, and be familiar with, Agile (Scrum) project methodology and practices, certified scrum master is a plus
* Ability to support and implement an appropriate business-aligned strategic architecture vision.
Education:
* BS in computer science or related field from a four-year college or university.
* CISSP® - Certified Information Systems Security Professional
**Competitive salary and benefits offered. The position is located in Fairfield, IA and relocation assistance is provided.
Manpower is an Equal Opportunity Employer (EOE/AA)