Application Security Program Manager

SWBC is seeking a talented individual that will be responsible for managing the company's application security program to mitigate financial, legal, compliance, and privacy risks by identifying and eliminating vulnerabilities and facilitating delivery and maintenance of secure software. This role involves overseeing an enterprise-wide program, integrating security principles within the SDLC, ensuring compliance with regulatory requirements, and coordinating security training and standards for stakeholders. The manager collaborates with various teams under the CISO's direction to develop and maintain secure infrastrucutre and applications; supporting multiple software engineering projects; including evaluating the security of software and applications. Additionally, the manager focuses on improving the software development lifecycle by embedding security early and often, ensuring robust security controls are in place, and continuously enhancing development and operations delivery and integration practices to produce secure, high-quality software. This position thrives in a fast-paced environment, leveraging the latest technology and development practices to achieve positive outcomes for the company and its clients.

Why you'll love this role:

In this role, you will collaborate with top information security, technology, and business professionals in the financial services and financial technology (FINTECH) industries. As part of an agile and innovative security team, you will engage with stakeholders at all levels and interact with the industry’s leading partners. You will utilize advanced security technologies and tactics to protect cutting-edge financial and business technologies. Additionally, you will support agile software development and the delivery of exceptional cloud native solutions. Beyond exceptional career opportunities and unique experiences, our security team is diverse, passionate about collaboration, and leverages state-of-the-art technology and automation. We value laughter, celebrate our successes as a team, and our leaders prioritize empowerment, autonomy, work-life balance, professional development, continuous improvement, and a commitment to shared values. We work hard, support each other, and deliver positive outcomes daily.

Essential duties include the following:

• Provides overall program management to thoughtfully apply resources to lower application security risk. Develops and monitors metrics to evaluate continuous improvement, measure return on investment, and evaluate risk reduction goals; drives adoption of security controls and industry best practices; coordinates and aligns resources to prioritize risk identification and remediation; tracks known risks and issues; and measures and monitors the assurance evidence that is being generated. Works with software release teams to coordinate security reviews and align with software release schedules. Participates in meetings and agile processes to plan, schedule, and review software releases.
• Responsible for ensuring the security of applications by integrating security measures into the application architecture and CI/CD pipeline. This includes identifying and addressing vulnerabilities, scheduling, tracking, and managing security tests such as static and dynamic analysis, penetration testing, and vulnerability assessments. The role involves using tools and dashboards to monitor progress, ensuring visibility and accountability for security issues, and coordinating the execution of security tests. Additionally, it requires managing resources, prioritizing remediation efforts, and continuously updating security test plans based on evolving threats and application changes. The role also includes reviewing cloud infrastructure security to ensure compliance with security standards and best practices, identifying potential vulnerabilities, and implementing necessary countermeasures to protect cloud-based assets. Ensures robust security throughout the development lifecycle and across all deployment environments.
• Enables foundational application security controls through the enterprise by developing and recommending policies and coding standards; identifying or developing standard security controls; coordinating security training and learning paths; reviewing and recommending secure development and testing tools; integrating standard security tools; evaluating third-party components; and supporting the organization to acquire secure software. Integrates technology within the software delivery and integration pipeline to automate security scanning and assessments.
• Verifies that applications and software are secure. Uses positive verification approaches to verify that the appropriate security controls are in place and working properly; evaluates identified risks; and analyzes vulnerability patterns to identify root causes to improve future implementations. Evaluates application security risk using automated and manual verification techniques to find vulnerabilities in running applications and source code; develops and reviews plans to test security controls; evaluates risk based on the likelihood of exploitation and business impact; and develops mitigation strategies to remediate or lower the risk to an acceptable level.
• Inventories and reviews applications, endpoints, third-party software, and internal software to categorize each application and software product into levels of criticality based on the importance of the application to the business.
• Reviews application and software outsourcing agreements and contracts to ensure third-party products and software are safe and follow secure development practices. Verifies application security requirements are included in software and application acquisition and service contracts. Supports the company’s vendor management and business continuity management programs.
• Monitors security devices to detect application security threats and supports security incident response team actions as appropriate.
• Supports efforts to audit and assess application security program effectiveness by, with, and through internal and external stakeholders, clients, business partners, and vendors.
• Performs other duties as assigned.

Serious candidates will possess the minimum qualifications:

• Bachelor’s Degree in Computer or Software Engineering, Information Security, Cybersecurity, or related field from an accredited four year college or university. Master’s degree preferred.

• Minimum five (5) years of extensive experience within an enterprise software development environment to include a minimum of two (2) years of specialized experience in Application Security.

• Direct experience with and advanced knowledge of application and software development testing, verification, and remediation. Must be familiar with the principles of SDLC and separation of duties.

• Direct experience developing and reviewing software development test plans.

• Strong ability to strategize for the future, design controls, and define/generate reports and presentations to support recommendations.

• Experience supporting vendor management programs and internal and external control assessments by auditors, clients, business partners, and other stakeholders.

• Experience developing and maintaining an application catalog to support risk assessments.

• Experience evaluating software development risk using relevant factors to assess the business impact.

• Certified Secure Software Lifecycle Professional (CSSLP) required, or incumbent must be able to obtain certification within 6 months of hire.

• GIAC Cloud Security Essentials (GCLD) certification desired.

• Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) highly desired.

• AWS Certified Solutions Architect or DevOps Engineer Professional certification highly desired.

• AWS Security Specialty certification highly desired.

• Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK) desired.

• Knowledge of application security program management and OWASP’s Software Assurance Maturity Model (SAMM).

• Knowledge of OWASP Application Security Verification Standard (ASVS) and Mobile Application Verification Standard (MAVS).

• Knowledge of positive and negative security verification processes and methods including automated and manual reviews, scans, and testing.

• Knowledge of Amazon Web Services.

• Knowledge of JSON programming language desired.

• Experience and understanding of the DevOps deployment pipeline and security considerations for each step of the CI/CD processes.

• Experience using Microsoft Azure DevOps and its use within an enterprise software development lifecycle (SDLC).

• Knowledge of Agile and Waterfall software development lifecycles and supporting systems such as Scrum and Kanban.

• Knowledge the Payment Card Industry (PCI) Data Security Standard (DSS).

• Knowledge of IT Security Operations.

• Knowledge of Application Development/EDW/BI.

• Knowledge of Cloud, Conversational UI, AI, and Machine Learning.

• Knowledge of software engineering.

• Demonstrated leadership and teamwork skills.

• Excellent verbal and written communication skills with experience documenting software and application configurations and communicating with developers, architects, and administrators.

• Self-starter with strong organization and project management skills and the proven ability to manage own time effectively.

• Strong analytical skills with the ability to assess a question, risk, or an issue and respond appropriately and accurately.

• Strong detail orientation and problem resolution skills in order to present results accurately and professionally.

• Proficient Microsoft Office skills, including Word and Excel.

• Excellent verbal and written communication skills.

• Familiar with team development tools and source control, including Azure DevOps, GIT, etc.

• Able to work as an essential part of a highly motivated business, technology, development teams.

• Excellent communication skills and the ability to work with teams and external stakeholders are essential.

• Able to use general office equipment including copy machine and phone system.

• Proficient with MS Word and MS Excel.

SWBC offers*:  

• Competitive overall compensation package
• Work/Life balance 
• Employee engagement activities and recognition awards 
• Years of Service awards
• Career enhancement and growth opportunities 
• Leadership Academy and Mentor Program
• Continuing education and career certifications 
• Variety of healthcare coverage options
• Traditional and Roth 401(k) retirement plans 
• Lucrative Wellness Program

*Based upon employee eligibility 

Additional Information:

SWBC is a Substance-Free Workplace and requires pre-employment drug testing.

Please note, SWBC does not hire tobacco users as allowed by law.

To learn more about SWBC, visit our website at www.SWBC.com. If interested, please click the appropriate apply button.