Application Security Architect
At Fitch, we have an open culture where employees are able to exchange ideas and perspectives, throughout the organization, irrespective of their seniority. Your voice will be heard allowing you to have a real impact. We embrace diversity and appreciate authenticity, employees work in an environment where they can be their true selves. Our inclusive and progressive approach helps us to keep a balanced perspective.
With our expertise, we are not only creating data and information, but also producing timely insights from every angle to influence decision making in this ever changing and highly competitive market. We have a relentless hunger to innovate and unlock the power of human insights and to drive value for our customers. There has never been a better time to make an impact and we invite you to join us on this journey.
The Application Security Architect will be responsible for managing an application security program that includes architectural design reviews, code scanning, web application scanning, and penetration testing, as well as the development of applicable training programs and application security standards. The Architect will be responsible for understanding Fitch Group's application architectures to identify security gaps, develop controls, and design solutions that meet business objectives while complying with security standards and regulatory requirements. Candidates must have a firm understanding of security concepts relating to all technical areas involved in developing, building, deploying, and running modern applications in both on-premise and cloud environments.
This role will provide guidance to the Technology Risk team, the application development teams, the DevOps team, the cloud engineering team, and to other internal engineers and developers. As an experienced member of the Technology Risk team, the Application Security Architect will provide thought-leadership and consulting-like services in subject matter expertise disciplines such as application security architecture, secure application development, developer training, application security testing tools, penetration assessments, bug bounties, metrics and measurement, and standards, guidelines and processes/procedures. The role will require the development, implementation, and administration of a comprehensive enterprise application security program to ensure the confidentiality, integrity, and availability of information owned, controlled and/or processed by the Fitch Group. Job Responsibilities:
• Understand Fitch Group's fundamental business activities and its portfolio of business operations.
• Maintain current knowledge of threats, regulations, and compliance related to information security.
• Based on this knowledge, develop, maintain and oversee an enterprise-wide application security program that is aligned with the Fitch Group's business strategy.
• Provide subject matter expertise to management on a range of application security best practices.
• Thoroughly understand secure application design principals, including the areas of authentication, authorization/least privilege, logging, encryption, data masking, data retention, and secure data transmission. Understand how these principles can be used to implement a zero-trust architecture.
• Collaborate with project teams and other system architects/engineers to develop designs for security mechanisms in applications, as well as designs for the applications' supporting infrastructure.
• Provide strategic and tactical security guidance for secure application development, including the evaluation and recommendation of technical controls.
• Assist in the development and management of security policies, standards, procedures, and guidelines.
• Conduct application security architecture reviews and perform application security assessments.
• Direct the selection, configuration, integration, and management of application security testing tools, specifically SAST tools for code scanning, DAST tools for runtime testing, and SCA tools to test for and block vulnerable third-party libraries.
• Partner with application development, DevOps, and Cloud Engineering teams to incorporate security throughout existing SDLCs and development and build practices.
• Work with the training department to manage a secure application development training program.
• Manage the penetration assessment program and track remediation of findings.
• Assist and advise on development of comprehensive application security metrics to report on areas such as application risk and security flaw remediation progress.
• Remain current with industry trends and security threats to advise management on how to mitigate and contain risks to the business.
• Perform other related duties as assigned. Required Skills/Experience:
• At least 5 years of experience in an Application Development or Information Security function
• Experience managing automated application security testing tools, including Static and Dynamic Application Security Testing (SAST/DAST) and Software Composition Analysis (SCA)
• Experience with application testing tools (e.g., Burp Suite, Fiddler, Zap, Wireshark, Metasploit)
• Solid understanding of the most common application security risks (OWASP Top 10, SANS/CWE Top 25)
• Solid understanding of application, database and network vulnerability testing principles
• Strong technical and business writing skills, plus the ability to effectively explain plans and solutions verbally to both technology and business units Recommended Skills/Experience/Education:
• Solid understanding of DevOps tools, including IDE (e.g., Eclipse, IntelliJ, Visual Studio), SCM (e.g., Bitbucket), CI/CD (e.g., Bamboo), Defect Tracking (e.g., Jira), Source Code Quality (e.g., SonarQube)
• Solid understanding of cloud environments (AWS, Azure), their underlying architectures, and their native tools and capabilities, as well as the container management solutions (EKS, AKS) that sit in them
• Understanding of current data privacy regulations, PCI requirements, NIST standards, and implementing processes and/or technology to ensure compliance and effective data protection controls
• Experience performing architectural security assessments of applications and their environments
• Experience conducting vulnerability assessments and assisting with development of remediation plans
• Recommended general security certifications: CISSP, CISA, or CISM - CISSP strongly preferred
• Recommended application security certifications (one or more): OSCP/ OSEP/OSWE, CEH/LPT, CPT/CEPT, CASS, CASE, CMWAPT, CRTOP, GIAC GEVA/GPEN/GWAPT/GCPN/GXPN/GMOB/GDAT
• Bachelor's/Master's degree in Computer Science or a related field, or equivalent work experience
• Ability to support a 24/7 on-call function
If you're interested in applying for this role, please speak with Victor Gonzalez for more information.