Conduct security architecture reviews of customer-facing and back-office applications
Perform security threat modeling of these applications
Drive static security code analysis using static code scanning tools, review code and triage found issues
May help other team members to perform dynamic code scanning
Research 3rd party software products and components for security vulnerabilities and maintain a list of non-recommended components.
Participate in the security training process for developers, QA, and business analysts, particularly in GIC.
Assist in the iterative development of application security enterprise policies, standards, guidelines, and best practices for all Divisional software products in collaboration with other Architects and based on both internal and external compliance requirements.
Help to create an application controls framework by elaborating threat models through which internal assessments could take place.
Assist in creating an audit process for development teams to audit against internal security standards and guidelines and controls. Automate compliance checks to improve audit efficiency and enable staff to self-check for compliance.
Qualifications
Essential
Bachelor of Science in Computer Science or Engineering preferred.
Proven experience in application solution architecture and code review.
Minimum of 2 years in the role of Software Architect or Application Architect with broad technical knowledge and architecture skillset.
Ability to review and quickly understand the architecture of an unfamiliar software solution, perform threat analysis, architecture review, and code review using tools.
Deep knowledge of .NET internals to analyze and understand .NET code and suggest appropriate code changes for vulnerability remediation.
Deep knowledge of Web Technologies and Frontend. ASP.Net, Angular, REST APIs, etc.
Sound knowledge of Cloud Technologies, Azure is a big plus.
Sound knowledge of using web debuggers like Chrome dev tools, Fiddler, Postman, etc.
Sound knowledge of DevOps. Git, Azure DevOps, etc.
Sound knowledge of Databases. MS SQL.
Preferred
Minimum of 2 years in the software security area (not infrastructure, though some infrastructure security knowledge would be a plus).
Proven experience in static and dynamic security code analysis, problem identification, remediation design, and implementation.
Recently completed Application Security training.
Ability to balance different priorities and to raise and resolve conflicts with development teams.
Strong tactical execution skills.
Experience training software teams for secure coding and code refactoring for security.
Previous experience as an Application, Solution, Information, or Infrastructure Architect.
Experience with dynamic scanning security tools and penetration testing.
Experience in Burp Suite, Checkmarx, Appscan, and Blackduck would be a plus.
Experience in using Microsoft Threat Modeling Tool would be a plus.
