Lead Application Security Engineer
CME Group is the world's leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it, all while working alongside a team of leading experts who inspire you in ways big and small. Joining our company gives you the opportunity to make a difference in global financial markets every day, whether you work on our industry-leading technology and risk management services, our benchmark products or in a corporate services area that helps us serve our customers better. We're small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic, the work is unlike any other firm in the business, and the possibilities are endless. Problem solvers, difference makers, trailblazers. Those are our people. And we're looking for more.
To learn more about what a career at CME Group can offer you, visit us at www.wherefuturesaremade.com .
The Lead Application Security Engineer is responsible for providing guidance and technical expertise on how to deliver services and best improve our application security and secure software development lifecycle. This individual is responsible for providing thought leadership to the rest of the engineers in the form of assessment methodology, delivery content, and delivery communications. This role leads by example by performing all of the Application Security team services and provides shadow opportunities for junior team members. As a technical leader on the Application Security Assessment team, this role must effectively communicate with CME technology, business, and third-party partners.
• 10+ years' experience performing blackbox/greybox/whitebox security assessments of applications (application pentests) which use HTTP and/or proprietary protocols.
• Expert knowledge and experience performing manual reviews of application source code for security vulnerabilities written in various languages including: Java, .Net (C#, VB#), C++, *.
• Expert level skills with application security testing tools including: Burpsuite, sqlmap, nmap, etc.
• Advanced knowledge of application reverse engineering and using tools such as: Java decompilers, .Net decompilers, IDAPro, etc.
• Advanced knowledge of UNIX/Linux/Windows
• Advanced knowledge with scripting languages such as: Python, bash, Powershell, etc.
• Experience with drafting of Security Standards, Reference Architectures and Implementation Guidelines
• Have a passion for application security testing and be able to share your passion and learnings with teammates and customers
• Self-motivated and a self-starter. (If you have a question, find the answer, ask somebody, figure it out, and communicate.)
• Excellent Oral and Written communications skills
• Perform all functions of the assessment team
• Provide technical leadership to team members and other stakeholders (e.g. development teams, project teams, business stakeholders)
• Provide input for strategic visioning / planning
• Identify the need for and develop new standards and reference architectures
• Perform peer review of assessment reports with constructive guidance
• Perform manual security assessments at key points in the SDLC
• Participate in security architecture reviews as a cross-team development activity
• Identify metrics that can help measure performance, gaps in coverage, need for resources, and trends in findings
• Train others on tools and processes used in AppSec methodology
• Have an interest in continuing your education and staying current within the application security domain
• Identify and document process improvements and influence team and manager support and prioritize changes
• Establish yourself as a recognized leader within the team
A Bachelor's or Master's degree in Computer Science, Information Systems or other related discipline is required; or equivalent combination of education and relevant proven work experience.
Certifications such as CISSP, GWAPT, OSCP/OSWE, or other relevant certifications are highly preferred.