The Software Application Security Architect will focus on application security with a primary focus on establishing and implementing Secure Development Lifecycle (SDL) for the organization. This role embedded in to product development life cycle will ensure the confidentiality, availability, and integrity of system and data by applying software development security design principles to applications and software development. Security Architect will own, develop and implement strategies to continuously “shift left” to ensure a “security-at-birth” model. The software application security architect will lead efforts to establish long-term information security architectural direction, establish standards, create secure coding guidelines, teach developers and establish secure application development checks and balances within the SDLC. Individuals in this role will engage with Product Managers, Architects, R&D Engineering teams to ensure the security considerations are considered well in advance during the product development cycle. Security Architect will review the High-level design, Low-level design, System specification documentation for security consideration and sign them off before the development happens. Security Architect will also collaborate with architects & R&D teams to arrive at appropriate security solutions balancing the security risks and the business impact. The successful candidate is expected to interact effectively with the management team, CISO, internal/external auditor, third parties, legal and regulators and other key stakeholders.
- Assist the organization in the development and implementation of Secure Development Lifecycle (SDL), and Privacy practices including policies, standards, guidelines & procedures. Assist engineering teams in adoption and execution of SDL.
- Perform threat modeling, design reviews, peer code reviews and privacy review as part of the secure development lifecycle.
- Assist and help engineering teams to build capabilities in secure code review , security testing, fuzz testing, and advanced developer testing capabilities.
- Support Engineering team with secure design, secure coding, security testing and SAST and DAST tool usage.
- Develop abuse cases, alternate flows, and maintain a list of actors that could malicious for our product.
- Drive Security education and awareness for engineering organization.
- Development, publication, and maintenance of secure development standards, guidelines, patterns, as well as working with engineering peers to adopt the publications
- Support Product Security Incident Response (PSIRT) function to quickly mitigate product security incidents.
- Work with engineering teams to update their open-source packages and maintain a secure engineering environment. Review security patches and fixes for best and correct approaches for remediation
- Support and assist the adoption of CI/CD/CS pipelines and reviews
- Building POCs and tooling for engineering and QA/QE for security testing.
- Lead, manage, and direct a team of Product Security professionals
- Bachelor’s of Science degree in an Engineering discipline; Master’s preferred or equivalent work experience
- 10+ years of software development with at least 5 years in developing secure systems
- 5+ years of DevSecOps experience in highly diversified and high growth organizations.
Preferred Technical Skills
- Excellent programming experience (design, coding & debugging) with object-oriented programming skills.
- Experience with software development especially skills in programming languages and frameworks such as Java, spring, SOAP & REST API in a Linux/Tomcat environment will be helpful.
- Established track record in leading applications / DevSecOps teams in implementing “shift left” strategies. Familiarity with the leading tool-sets including continuous penetration testing, automation, and SAST/DAST tools.
- Sound understanding of Cryptography, various Encryption Algorithms, Public key Infrastructure (PKI) and Certificate Authority (CA).
- Experience and knowledge of penetration testing methodologies and tools.
- Experience in establishing and rolling out Threat Modeling that can be consumed by developers and engineers into user stories.
- Experience building security communities across engineering teams through evangelism and training programs.
- Thorough understanding of OWASP Top 10 and their mitigation.
- Excellent Secure Software Concepts – security implications in software development.
- Experience with Software Vulnerability Assessment Tool
- Experience in designing security solutions.
- Experience in assessing security of-IaaS, PaaS, SaaS platforms would be helpful
- Incident management, including analysis and response
- Certifications in security and privacy demonstrating deep practical knowledge such as ISC² CSSLP, CISSP or CSSP, SANS Secure Software Development, CompTIA Security+, CEH, OSCP
- Effective communication (internal, customer, legal counsel), collaboration (internal, external) and effective written skills (white papers, vulnerability specifications etc.)
- Strong interpersonal skills with the ability to facilitate diverse groups, help negotiate priorities, and resolve conflicts among project stakeholders
- Technical leadership experience in the Software Security field.
- Excellent cyber security capabilities and strong software engineering skills
- Active participation in cybersecurity forums/conventions, e.g. DEFCON, Black Hat. Public speaking is a plus