Principal II - Application Security

Job Description

Job Purpose (Job Summary): Invesco Global Security is looking to hire a Principal who will work with application engineering teams to deploy and secure business applications. The Principal will be responsible for secure design, architecture, and vulnerability assessment and management. The team is looking for a Principal who is innovative and continuously seeks to improve the security of Invesco applications and network. Key Responsibilities / Duties:

• Provide application security advisory, solution architecture, and consulting to internal projects of varying size. Assist business and application development teams to develop secure solution in support of business requirements.
• Develop business acumen to support Secure Software Development Life Cycle (SDLC) for the business unit specific applications and deliver risk assessments with business contextual risk.
• Perform security architecture reviews for applications based on approved enterprise security architectures. Analyzes business impact and exposure, based on emerging security threats, vulnerabilities and risks.
• Act as a security expert in application development, database design, network and platform (operating system) efforts, helping project teams comply with enterprise and IT security policies, industry regulations, and best practices.
• Assist in development and execution of secure software development and vulnerability management strategy, tools and technology strategy, future state, standards, audits, and governance.
• Assist with driving organization wide application security and vulnerability management strategies.
• Perform application security risk assessments aligning with enterprise risk framework and present assessment summary reports to key stakeholders.
• Participate in application security and vulnerability management projects. Track deliverables and provide periodic updates to the leadership team. Escalate security and projects risk timely.
• Implement and oversee DevSecOps project streams and related integrations.
• Develop and communicate KRIs (Key Risk Indicators).
• Drive threat modelling, code review and security testing initiatives.
• Provide application security advisory and remediation guidance to address vulnerabilities.
• Develop communication program for application security threats and awareness.
• Keep current with industry best practices.
• Maintain Application Security and Vulnerability Management process documentation.
• Provide mentorship and direction to less experienced security engineers.
• Other duties as assigned.

Work Experience:

• 6+ years of combined IT and security work experience including infrastructure, systems, vulnerability testing, audit, or secure application software development
• At least 3 years of experience with Application Security, including familiarity with tool sets supporting Application Security and Vulnerability Management (dynamic, static, and pen test)
• At least 3 years of experience with secure application design and threat modelling
• DevSecOps experience preferred
• Experience with common information security management frameworks, such as International Organization for Standardization (ISO) 2700x, ITIL and National Institute of Standards and Technology (NIST) frameworks.
• Working in large / global corporate environments involving multiple businesses.
• Experience managing projects
• Financial services highly desired.

Technical Skills Required:

• Advanced understanding of SDLC, following the process to develop and design effectively solutions
• Expert knowledge of application development frameworks
• Sound understanding of security principles, such as infrastructure security, identity and access management, vulnerability management, and secure coding.
• Advanced knowledge of secure coding practices based on OWASP and SANS.
• Advanced knowledge and experience developing or testing: Authentication infrastructure SAML and OAUTH SSO Protocols XML and JavaScript Internet security protocols and technologies
• A keen analytical mind for problem solving, abstract thought, and offensive security tactics.
• Common attack techniques for web, mobile and API and application testing tools
• Ability to write scripts/tools to assist in testing desired
• Experience testing and analyzing applications and networks
• Knowledge of encryption technologies and common network protocols
• Understanding and can apply commonly known security practices and possess a working knowledge of applicable industry controls (e.g. SANS, NIST, CIS)
• Ability to review and analyze security vulnerability data to identify applicability and false positives

Other Skills Required:

• Strong interpersonal skills (written and oral communication) and ability to articulate complex issues to executives and customers
• Proven ability to effectively communicate ideas and build consensus at all levels within the organization
• Track record of success in planning and implementing large projects.
• Ability to communicate technical information clearly and concisely, commensurate with the audience
• Strong analytical skills with ability to define, collect, analyze data, establish facts, draw valid conclusions, and make fact-based decisions.
• Conceptual thinking and communication skills the ability to conceptualize complex business and technical requirements into comprehensible models and templates.
• Good communicator (written and verbal) and listener.
• Must be a team player and motivated self-starter with ability to work independently and remotely with limited supervision.
• Possesses diplomacy and cooperative style necessary to interface effectively with all personalities and across functional disciplines.
• Maintain strict confidentiality of all security issues including legal investigations, Compliance, and HR data requests

Formal Education:

• A Bachelors or Masters degree in Computer Science, Information Systems or other related field; or equivalent work experience.

License / Registration / Certification:

• CISSP and/or CSSLP required.
• DevSecOps, GWEB, GWPT, CEH, CISM certificates are desired .

Working Conditions:

• Normal office environment with little exposure to noise, dust and temperatures
• The ability to lift, carry or otherwise move objects of up to 10 pounds is also necessary.
• Normally works a regular schedule of hours, however hours may vary depending upon the project or assignment.
• Hours may include evenings and/or weekends and may include 24 hour a day on call support by pager and/or cell phone.
• Willingness to travel both domestically and internationally. Frequency and duration to be determined by manager.

EMEA Regulatory Data: SMCR Senior Manager No SMCR Certified Person No MiFID Knowledge & Competence role No FCA Training & Competence role No Material Risk Taker No The above information on this description has been designed to indicate the general nature and level of work performed by employees within this role. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to this job. The job holder may be required to perform other duties as deemed appropriate by their manager from time to time. ,

Keyskills :
web application developmentstrong analytical skillssoftware development life cyclerecord of successit security policiesstrong interpersonal skillsstatements of work sow