Job responsibilities
- Cultivate security culture Working with Product and Engineering colleagues, be the security champion that strives to prioritize sustainable controls and driving real risk reduction outcomes.
- Build Secure products ensure security is considered throughout the Product and Software Development Life Cycle. Provide security best practice, build security design patterns, complete security architecture reviews, threat models and risk assessments. Help solve engineering problems by implementing technical controls to mitigate risk.
- Security Thought Leadership Keep up on security best practice and be a continuous learner. Guide and define our security practices and standards end-to-end, be recognized as a point of escalation and subject matter expert for IT Risk and Cyber domains.
- Work Together We work together with product and engineering, we help to solve problems and not just calling out issues, We also operate within a larger business and align with the wider security function across JPMC.
- Secure Environment Ensure we are deploying products into a secure environment, aligning with the FIRM control requirements, supporting on-going business-as-usual, vulnerability management, internal security consultancy, audit and regulatory engagements, risk activities and project initiatives. Work closely with Third Party Oversight teams to ensure effective technology risk management, with a focus on Cloud computing / emerging technologies.
Required qualifications, capabilities and skills
- Formal training or certification on security engineering concepts and applied experience
- Extensive experience in an engineering role with heavy focus on security.
- Excellent knowledge of best-practices for securing Micro-service architectures.
- Excellent knowledge of securing Kubernetes environments.
- Excellent knowledge of methods for authentication, authorization (ODIC, OAuth 2, FIDO 2 .etc..)
- Excellent knowledge of modern SDLC practices with a focus on embedding security into CI/CD pipelines.
- Excellent knowledge of all of the above concepts in the context of at least one (ideally more!) public cloud provider (AWS,GCP,Azure)
- A desire to teach others and share knowledge. We aren’t looking for hero engineers, we look for team players. We want you to coach other team members on security coding practices, design principles, and implementation patterns.
- Comfortable in uncharted waters. We are building something new. Things change quickly. We need you to learn technologies and patterns quickly.
- Ability to see the long term. We don’t want you to sacrifice the future for the present. We want you to choose technologies and approaches based on the end goals.
- Clarity of thought. We operate quickly and efficiently, and we value people who are economical with their time and clear with their opinions.
Preferred qualifications, capabilities and skills
- Understanding of applied cryptography - symmetric/asymmetric cryptography, Certificate management.
- Knowledge of offensive security, Application and Infrastructure penetration testing (OWASP top 10, OWASP ASVS)
- Understanding of security vulnerabilities and remediation options in codebases (Java/Kotlin/etc) & containers
- Excellent knowledge of security/identity SaaS vendors (Auth0, Forgerock, Keycloak)