Application Security Engineer

- - - - - - - - - - - -

MISSION

As part of the Michelin Group's Cybersecurity Expert (Business Support, Business Protection, Promotion of Responsible Security Behavior), in a field defined by the Michelin (Department DOTI) for ISIT security activities at DOTI and as a member of the CSSI team at DOTI :

• He/she is the privileged point of contact for all security aspects of his/her entity and liaises with his/her management team for the implementation of and compliance with security rules and practices.
• Together with DOTI/SSI, he/she defines the security roadmap for his/her entity, communicates it and contributes to its adoption.
• Provides the necessary support to project teams and day-to-day operations to ensure that security requirements are effectively implemented (e.g. follow-up of action plans following penetration tests, MGSR (security guidelines by Michelin).
• Deploys the “Security by design” approach within the entity and contributes to security education and training, which includes but not limited to SAT (security acceptance testing), vulnerability management, obsolescence management, patch management, enforcement of strong authentication and security by design framework.
• Participates in the network of entity security correspondents and monitors the various ad-hoc subjects initiated with Group Security.
• Maintains a technological and innovation watch for elements specific to his entity in terms of safety, in line with the entity's needs and requirements (for all non-specific matters, other entities oversee safety watch).
• Conducts and provides first-level support for risk analysis within the entity's application perimeter and contributes to vulnerability detection and remediation (EBIOS analysis, vulnerability scan follow-up, patch forum).
• He/she contributes to the dissemination and evangelization of best practices and safety regulations, by coordinating a network of safety contacts within his/her entity.
• He/she will act as backup to the Team Lead technical team.

KEY EXPECTED RESULTS

PERFORMANCE MEASUREMENT

1 Security by design enforcement

• All projects should follow the best practices of SecByDesign, max deviation should not cross 0.02% defects

2 Vulnerability & Patch management

• Maintain the N-1 cycle and approach and ensure all assets, library and platform is updated with latest patch

3 Security Acceptance Testing

• All project should qualify the specific security requirement on project and should not over-cross the requirement

4 Obsolescence Management

• Life-cycle management of all ISIT assets, platform, OS, DB, Middleware, front-end, back-end and libraries
• Deviation should be mitigated within stipulated time-frame, maintain proactive eol and eos information and communicate with business for refresh

5 Security Authentication / Privilege management

• Strong security authentication for integrated system and human interacted software systems, if user is privilege then it must go thru MFA or Passwordless authentication mechanism.
• Generic ID’s and PKI certificate life-cycle should be maintained and managed within due course of time-line.

MAIN ACTIVITIES

By following security charter & process:

• Identifies evolution of critical assets and local points of contacts.
• Contributes to cybersecurity plan and evolutions of cybersecurity methods.
• Select CIS Framework controls, validate what is needed with respect to business services & solution
• Lead the business team to create right synergies between core security team and PNI security team
• Work with the business to promote a culture of Risk awareness and control and to ensure consistency of practice and approach.
• Being proactive to provide right learning content to your team of developer to adopt the security by design framework
• Ensure the implementation of good security practices by dev/indus/test/operation teams, including in devops mode.
• Ensure regular reviews of user accounts on the scope of consolidation to ensure a good level of security
• Ensure regular reviews to ensure that the observed scope is compliant and that there is no shadow IT, identify the possible shadow IT.
• Verifies project security architectures in conjunction with the DOTI and group security teams.
• Controls the security level of dev/indus/test/prod environments and compliance with security rules for multi-tenant cloud environments and outsourcing actions.
• Ensure timely creation of roadmap and leading discussion with business to ensure all platforms are refreshed on timely manner, OS/DB’s are updated once they are reaching their life-cycle, middleware, libraries are refreshed and used as and when they become obsolete
• Follows up progress of corrective action plans until closure.