Citi Group Application Security Lead Analyst - VP 

United States, Texas, Irving 

341088269

Success in the role requires an innovative mind, a proven track record of delivering solutions that meet security needs, integrate application security into our DevOps pipeline, automate security as code and enable successful detection and response to any and all threats in our environment. The primary focus will address testing needs within development organizations striving for continuous deployment and using automated security tooling including SAST, DAST and SCA. Within his/her leadership role, this individual is expected to train and guide application teams as a hand-on participant.Responsibilities:

The candidate will be responsible for the aspects of the Application Security Program initiatives including but not limited to the following:

• Early Detection of Vulnerabilities : Proactive in identifying and mitigating security risk before they moved to production environment.
• Perform application security testing on various types of applications such as web, APIs (REST/SOAP/Micro services), mobile, etc. by utilizing Static Application Security Testing (SAST), Interactive Application Security Testing (IAST), Dynamic Application Security Testing (DAST) and Component Vulnerability Management (CVM).
• Provide required trainings and guidance to the developers that helps to prevent introduction of vulnerabilities.
• Guide the application teams to proactively identify and remediate the vulnerabilities during the development phase by utilizing the Application Security Tool Suite in the CI/CD pipeline.
• Continuously evaluate application security practices and implement changes that improves developer security experience, reduces risk and accelerate the time to market.
• Build the data analytics and metrics to track the effectiveness of the App Sec initiatives.
• Have the ability to read and understand application source code in order to provide specific recommendations for the identified vulnerabilities to application teams.
• Have strong technical writing and presentation skills to report and articulate security vulnerabilities to technical and non-technical audiences.

Qualifications:

• At least 5 years of experience in security testing performing:
  • Application penetration testing including Web, API, Mobile
  • Source code review preferably in Java or .NET programming languages
  • Software composition analysis
  • Threat modeling
• A good understanding of enterprise application development using programming languages such as Java or .NET.
• Experience in source code management, build and deployment technologies such as RLM, Udeploy, Jenkins, Artifactory, Maven, GitHub, etc
• Good understanding of the following: JIRA, Checkmarx, BlackDuck, Contrast, AWS, GCP, Azure, Docker, Kubernetes, OpenShift, PCF.
• Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.
• Must have a strong understanding of ethical hacking methodologies, frameworks, and industry resources, e.g. OWASP, NIST publications, SANS/CWE, among others.

Education:

• Bachelor’s degree in Computer Science, Information Systems Management, or related field preferred.
• Industry-accredited security certifications will be required. The candidate must have or be willing to obtain certifications from the following industry recognized organizations: Offensive Security, GIAC, ISC2, EC-Council, ISACA, etc.

Anticipated Posting Close Date:

View the " " poster. View the .

View the .

View the