FirstFed Financial Corp.
Receive alerts when this company posts new jobs.
AVP, Application Security Engineer
at FirstFed Financial Corp.
- Job ID
- # Positions
- Job Family
- Information Technology - IT Operations
Founded in 1908, CIT (NYSE: CIT) is a leading national bank empowering businesses and personal savers with the financial agility to navigate their goals. We believe in helping customers turn their ideas into outcomes. Whether those customers are building a business or building their savings, CIT has the experience and agility to empower them to achieve their goals. At CIT, how we do business is just as important as what we do. Our social responsibility programs focus on driving financial and personal empowerment, supporting the environment and advancing wellness. CIT contributes to communities where we live, work and do business through charitable donations, community investments and employee volunteerism.
The Application Security Engineer is a hands-on, first line role responsible for evaluating and enforcing security across the Secure Software Development Life Cycle (SDLC). The Application Security Engineer will conduct code reviews and assess/remediate issues stemming from application security scans using various tools. The position will work closely with IT Development implementing, executing and improving the security of CiT developed applications that could lead to negative operational, reputational, and/or financial impact. The ideal candidate will have solid experience operating a risk-based penetration testing program, conducting both manual and automated penetration tests to improve application security and effecitvely communicating flaws to management as part of risk metrics reporting.
- Conduct ongoing code reviews and application security scans, identify and interpret flaws, consult and advise development teams on remediation and track issues to resolution in accordance with service level agreements (SLA).
- Proactively manage security flaws and engage IT Development to ensure issues are resolved in line with SLAs.
- Maintain monthly management reporting supporting this effort.
- Perform dynamic/static testing using various tools, provide recommendations and guidance on mitigations and validate issue remediation. Maintain detailed evidence documentation throughout process.
- Review application security and approve application changes as part of formal Change Management process.
- Collaborate with colleagues from Security Architecture & Assurance, Security Operations and IT Development in the testing and remediation process, including resolution of issues stemming from risk assessments and third party penetration testing.
- Participate in the development of security standards, provide recommendations for improving application security program based on subject matter expertise and industry best practices.
- Maintain application security program standard operating procedures in line with applicable CiT Security standards.
- Contribute to regulatory, risk assessment and internal audit examinations where required.
- 5+ years experience in application security function working with developers throughout Secure Software Development Life Cycle.
- Ability to identify security vulnerabilities from source code reviews/testing and provide security guidance to development teams.
- Strong knowledge of Open Web Application Security Project (OWASP).
- Strong knowledge of common application security vulnerabilities (e.g., XSS, CSRF, SQL injection, input/output validation, etc.) and how to engineer software to avoid them.
- Expertise in application security testing, static and dynamic analysis.
- Prior Experience in programming in one or more server-side technologies ideal e.g., ASP.NET.
- Experience with manual penetration testing and incorporating with automated methods/tools.
- Familiarity with web application firewalls.
- Critical thinker with demonstrated problem solving skills.
- Demonstrated ability to prioritize and successfully manage competing work assignments in a time sensitive environment.
- A high degree of initiative required with the ability to work independently or as part of a team.
- High level of personal integrity, and the ability to professionally handle confidential matters and project the appropriate level of urgency, judgment and maturity.
Key terms: Application security engineering, OWASP, static/dynamic analysis, penetration testing and tools, defensive programming, application security training, malware techniques and defenses.