Chief Security Architect

RESPONSIBILITIES:

• Establish security best practices and procedures for mobile, on-premises, and cloud-based platforms.
• Provide expert knowledge and guidance to product teams about security vulnerabilities and remediation controls.
• Support and consult with product and development teams in application security, including threat modeling and Application Security reviews.
• Implement and maintain secure Software Security Development Lifecycle processes and software maturity model.
• Perform threat modeling, secure design, and source code review.
• Conduct security assessments, testing, and validation of vulnerability scan results.
• Assist teams in reproducing, triaging, and addressing application security vulnerabilities.
• Integrate security tools into the product development and deployment process.
• Develop, implement, and automate defensive controls, creating and tuning tools and rules to detect malicious activity. Responsible for integration of security controls into SDLC.
• Establish supply chain security process and ensure third-party software meet standards.
• Facilitate injection, integration, and compliance for Static Application Security Testing (SAST), Container Security Scanning & Open-Source Security Analysis during development phase.
• Facilitate injection, integration, and compliance for Dynamic Application Security Testing (DAST)
• Contribute to triaging, addressing security issues, and tracking remediation.
• Manage Secure SDLC tooling.
• Develop and customize security tools used by security teams and developers.
• Collaborate with development teams to build security into their SDLCs.
• Provide remediation guidance to programmers and management.
• Support bug bounty program
• Prepare security releases
• Mentor and train development teams on secure coding standards and techniques. Develop Secure Coding Program.
• Innovate at the pace of the adversary using latest techniques.

REQUIRED SKILLS AND QUALIFICATIONS:

• Bachelor's degree in Computer Science, Information Systems, or equivalent combination of education and experience.
• Certifications in the field of Information Security (at least one of the following: CISSP, CEH, GIAC CPEN, OSCP, OSWE, CWAPT, GWAPT, GWEB).

BENEFITS:

• Minimum 3 to 5 years of experience.

GENERAL KNOWLEDGE, SKILLS & ABILITIES:

• Deep understanding of web and mobile security vulnerabilities, attack vectors, and mitigation techniques.
• Experience with multiple programming languages (Java, JavaScript, Go, Python, Ruby, Objective-C, C#, PHP) with hands-on level coding experience with at least one scripting and one object-oriented programming language.
• Fluency with security testing using SAST, SCA, DAST, IAST, Fuzz, and penetration testing tools.
• Understanding of application security standards such as OWASP ASVS/Top 10 and CWE 25.
• Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication, and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
• Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
• Knowledge of DevSecOps to maintain security in CI/CD pipeline.
• Solid experience with security tools like Semgrep, CheckMarx, VeraCode, BurpSuite, Snyk, Nessus.
• Familiarity with tools like Git, Jenkins, CircleCI, Maven, Ant, Gradle, Nexus, SonarQube, Artifactory, Chef, Splunk.
• Experience writing custom rules for static analysis tools.
• Experience with API Security, IaC, Containerization, RASP, IAST.
• Experience with microservices, container deployment, and service orchestration.
• Strong knowledge of cryptography, API security, and secret management.
• Ability to clearly and effectively communicate concerns and issues to management and engineers.
• Experience with Cloud (AWS, Azure, GCP) Security.
• Experience writing tools to automate tasks and integrate systems using scripting languages like Go, Python, and REST APIs.
• Experience in delivering and educating development groups in Secure Coding.
• Expertise with common vulnerabilities and attack vectors.
• Experience integrating security tools into developer pipelines.
• DevOps experience managing deployment and configuration.

General skills include:

• Strong critical thinking and analytical skills.
• Ability to approach problem-solving in a constructive and collaborative way that does not require absolute security.
• Ability to communicate complicated technical issues and risks to programmers, network engineers, and managers.
• Strong leadership, project, and team-building skills.
• Exceptional communication skills with diverse audiences; ability to be an application security subject matter expert who can explain relevant topics to general audiences.