Senior Application Security Engineer
The Senior Application Security Engineer is responsible for promoting, designing, and evaluating application security in all phases of the application life cycle. The ASE shall ensure that appropriate and effective security techniques and solutions are identified, implemented, and used. May lead a small team of Engineers.
Essential Job Functions:
- Software Security Assessment: Evaluate applications for appropriate and effective use of security controls using tools and techniques such as source code analysis, vulnerability scanners, and manual testing techniques.
- Application Security Control Development: Provide expert guidance to developers on the appropriate selection and implementation of relevant application security controls.
- Security Awareness Training: Design, develop and deliver presentations focused on raising awareness for crucial security relevant considerations and defensive programming techniques.
- Support the planning and execution of the application security testing and evaluation program with possibility to mentor junior team members.
- Advise and consult internal clients on appropriate application of security practices and existing security services to solve problems or enable new business opportunities.
- Serve as subject matter expert on application and information security technologies and methodologies.
Other Responsibilities:
- Perform other duties and responsibilities as assigned.
Education/Experience Requirements:
- B.S or M.S in Computer Science, or equivalent education or experience. Emphasis in software security a plus.
- At least three (3) years of professional experience with M.S degree or at least five (5) years of experience with a B.S degree to include:
- Two (2) or more years in software engineering and development with emphasis on the delivery of secure, Internet-exposed, multi-tier, web-based systems using Java/J2EE and/or C#/ASP/.NET (experience with both a plus).
- At least one (1) year of hands-on experience evaluating the security of applications using both manual and automated techniques. Relevant tool experience should include code security scanners such as Fortify SCA, Checkmarx; web vulnerability scanners such as HP WebInspect or IBM Rational AppScan; assessment support tools such as BurpSuite, Metasploit, or Core Impact.
- Experience mentoring and leading small teams and demonstrated responsibility for managing security assessments for a portfolio of applications is desirable.
- Strong written and verbal communication skills. Specific relevant experience may include technical reports (especially application security assessment reports), technical whitepapers, presentation development and delivery (for both technical and business audiences), technical training, etc. Candidate should have experience making and defending sound technical arguments that incorporate relevant technical and business considerations, and building consensus among stakeholders.
Desirable Security-related Experience:
- Knowledge of security considerations related to virtualization and cloud computing.
- Mobile Application Security on iOS and/or Android devices; includes experience in secure development of applications and/or analysis.
- Knowledge/hands-on experience in implementing DevSecOps (enabling security in DevOps).
- Knowledge/hands-on experiences of AWS fundamentals and security a plus.
- Financial services industry (Insurance, Banking, Investments) experience a plus.
- Providing software architecture security guidance, including developing application threat models and methodically protecting against business logic and design flaws that could introduce security vulnerabilities.
- Design patterns and coding standards for secure software.
- Familiarity with commonly used authentication & authorization systems such as Siteminder, Okta, ForgeRock.
- Knowledge of PKI systems.
- Knowledge of cryptographic tool kits for application development such as RSA BSAFE or others.
- Knowledge of general application security API's and protocols such as: MS CryptoAPI, Kerberos, SSL/TLS, SAML, S/MIME, and PKCS API's.
- End-to-end, hands-on experience in security solutions for complex enterprise architectures.
- Knowledge of cryptographic solutions for protection of data in use, in transit and at rest, such as: Masking, SSL/TLS, IPSec, or format preserving encryption & sanitization.
Salary Information:
For work that is performed in CA, CO, HI, MN, VT, IL, Jersey City, NJ, NY, NY, MD, Washington DC, and WA the chart below outlines the proposed salary range for the corresponding location. In addition to location, actual compensation is based on various factors, including but not limited to, the candidate’s skill set, level of experience, education, and internal peer compensation comparisons.
- CA: Minimum Salary $106,400, Maximum Salary $200,200
- CO/HI/MN/VT*: Minimum Salary $92,500, Maximum Salary $166,800
- IL*: Minimum Salary $101,800, Maximum Salary $183,900
- Jersey City, NJ/NY, NY: Minimum Salary $111,000, Maximum Salary $200,200
- MD/Washington, DC: Minimum Salary $106,400 Maximum Salary $191,800
- WA: Minimum Salary $92,500, Maximum Salary $191,800
*Including positions performed outside the state but reporting to an office or manager in that state.
Candidates can expect salary offers that range from the minimum to the mid-point of the salary range. FINRA provides full pay ranges so that the candidate can consider their growth potential while at FINRA.
To be considered for this position, please submit an application. Applications are accepted on an ongoing basis.
FINRA strives to make our career site accessible to all users. If you need a disability-related accommodation for completing the application process, please contact FINRA's Employee Relations team at 240.386.4865 or by email at EmployeeRelations@finra.org.
FINRA is an Equal Opportunity and Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to age, citizenship status, color, disability, marital status, national origin, race, religion, sex, sexual orientation, gender identity, veteran status or any other classification protected by federal state or local laws as appropriate, or upon the protected status of the person’s relatives, friends or associates.
2020 FINRA. All rights reserved. FINRA is a registered trademark of the Financial Industry Regulatory Authority, Inc.