Lead Associate Principal, Security Test Engineering

Summary

This role will work collaboratively with the Security Penetration Testers to develop continuous testing automation tools that will increase OCC's security posture against all threats that put OCC’s organizational operations, assets or individuals at risk. The Security Penetration Testing Team engages in threat intelligence gathering, security control validation testing, firewall rule reviews, expedited and emergency change reviews, network penetration testing, web application penetration testing, mobile device testing, and more. Team members must ensure the availability and integrity of OCC’s operational systems and self-disclose identified findings in a timely/proactive manner.

This individual will primarily work with the OCC Security Penetration Team to help plan, design, and develop the infrastructure and custom code necessary to automate OCC’s current security control validation related activities.  This role will also assist with performing ad-hoc white-box penetration testing work of OCC’s infrastructure that is still currently in Development, or in need of pre-Production penetration testing. The position will involve interaction with multiple teams such as Security Architecture, Cyber Defense, Security Assurance, and various other Security and IT teams to coordinate white-box penetration testing engagements and re-test remediated Adversarial Red Team findings.

The ideal candidate will have Full Stack Developer experience with a strong enthusiasm for Security.  Experience building Cloud infrastructure for testing, and custom scripting expertise in at least one proficient language is required. This candidate must be driven, an excellent communicator, and have the enthusiasm to learn and stay ahead of today’s emerging threats and MITRE attack techniques.

Responsibilities

• Collaborating with others to deliver complex projects which may involve multiple systems
• Develop solutions to complex technical challenges while coding, testing, troubleshooting, debugging, and documenting the systems you develop
• Optimize application performance through analysis, code refactoring, and system tuning
• Recommend technologies and tools that improve the efficiency and quality of OCC’s systems and development processes
• Conduct ad-hoc white-box penetration testing work of OCC’s infrastructure that is still currently in Development, or in need of pre-Production penetration testing.  These Penetration Testing activities may include Threat Intelligence Gathering, Network/Operating System/Application Penetration Testing, Web Application Penetration Testing, Mobile Application Testing, and more
• Build security-hardened Cloud testing assets to use for external security control validation testing purposes
• Coordinate with IT owners to re-test and validate remediated Red Team findings
• Execute Open Source Intelligence Collection and Analysis Techniques (OSINT); leverage available resources and develop custom tools
• Understand vulnerabilities and develop relevant exploits/payloads for use during Penetration Test activities
• Perform security risk assessment, threat analysis and threat modeling
• Perform reviews of OCC’s security, network, and applications in collaboration with Security Architecture and other OCC Security teams
• Stay on-time, on-budget, and within scope of testing activities
• Develop clear detailed reports and recommendations based on concrete evidence
• Debrief users and provide remediation strategy on findings
• Ensure alignment of security controls in OCC’s testing program and supporting services and related policies and procedures with applicable regulations and industry standard best practices
• Assist management with the improvement of policies and procedures to support Security Testing activities as well as other security duties which may arise
• Participate in developing a security roadmap, adopt security best practices, and implement new ideas and innovations according to the industry trends
• Adhere to the best practices and work for delivering secured and quality products
• Consult with technical experts and system owners on all aspects of Information Security and Compliance
• Work closely with Production Support staff, Incidence Response, and IT infrastructure to increase organizational security posture
• Support OCC’s security objectives and remediation efforts relating to Security Testing.
• Supports and successfully completes Audits
• Cross-train the other Security Penetration Testers and Adversarial Red Team members.
• Cross-train other teams within Security Services and OCC IT departments to provide subject matter knowledge of a specific adversarial threat/risk, or to assist with remediation path recommendations
• Participate in “Lessons Learned” process to provide information to help OCC improve practices, methodologies, tools, and other technologies
• Stay current on emerging technology trends and the threat landscape
• Advise IT on current and emerging threats, their attack vectors, and how to mitigate them
• Be a team player and perform other duties as assigned

Qualifications & Experience

• [Required] 6+ year of experience in building high speed, data-centric solutions
• [Required] 6+ years experience in Full Stack Development using Java, C#, Go, Rust, Python, or at least one proficient language
• [Required] Experience following Git workflows
• [Required] Working knowledge of DevOps tools such as Terraform, Ansible, Jenkins, Kubernetes, Harness, Helm and CI/CD pipeline etc
• [Required] Familiarity with monitoring related tools and frameworks like Splunk, ElasticSearch, Prometheus, AppDynamics
• Experience with high speed distributed computing frameworks like FLINK, Apache Spark, Kafka Streams, etc
• Experience with distributed message brokers Kafka, RabbitMQ, ActiveMQ, Amazon Kinesis, etc. Kafka
• Experience with cloud technologies and migrations. Experience preferred with AWS foundational services like VPCs, Security groups, EC2, RDS, S3 ACLs, KMS, AWS CLI and IAM etc
• Experience developing and delivering technical solutions using public cloud service providers like Amazon, Google Cloud Computing, Digital Ocean, etc
• Experience working with various types of databases like Relational (MySQL, PostgreSQL, etc), Non-relational (NoSQL), Object-based, Graph
• Exposure working with various AI LLM Models
• Exceptional analytical, problem solving and troubleshooting skills with the ability to exercise good judgment while developing creative solutions
• Exceptional listening and verbal/written communication skills to be able to articulate ideas clearly and concisely
• Enthusiasm for constantly learning new Penetration Testing techniques across multiple areas: Network/Application Penetration Testing, Web Application Penetration Testing, Mobile Application Penetration Testing, Open Source Intelligence, and more
• Proven due diligence and research ability via open-source avenues and technology
• Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, IaaS/PaaS/SaaS)
• Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management
• Good understanding of regulatory standards including CSF, NIST, PCI, SSAE 16, SAS 70, HIPPA, FIPS 199, COBIT 5 and others as needed.
• Strong knowledge in cryptography (symmetric, asymmetric, hashing) and its various applications
• Strong knowledge of common enterprise infrastructure technology stacks and network configurations
• Exhibit ability to understand and probe/exploit a diverse range of Network and Internet Protocols
• Ability to facilitate meetings and conversations
• Ability to work with business users, understand their needs and translate those needs to the final project deliverables
• Nice to have experience working on critical infrastructure in a regulated environment
• High energy, results-driven person with an attention to detail

Technical Skills & Background

• [Required] Full Stack software development experience using Java, C#, Go, Rust, Python, or at least one proficient language
• [Required] Strong experience with custom scripting (Python, Powershell, Bash, etc.)  and process automation
• [Required] Strong testing experience which includes developing test plans, automated test cases, and working with test frameworks
• [Required] Deep understanding of performance issues and multi-threaded development
• [Required] Experience working with two or more of the following: web/mobile application development, Unix/Linux environments, event-driven systems, transaction processing systems, distributed and parallel systems, large software system development, security software development, public-cloud platforms
• [Required] Hands-on experience with Spring, SpringBoot, Microservices, REST API, and more
• Exposure working with various AI LLM Models
• Strong enthusiasm for Network, Web Application, and Mobile Device security testing, exploit and payload development, etc. and automating security control validation techniques
• Strong proficiency in OSINT/ threat intelligence gathering
• Strong experience with database security testing (MSSQL, DB2, MySQL, etc.).
• Experience with common penetration testing tools (Kali, Cobalt Strike, Nighthawk, Nmap, Qualys, Nessus, Burp Suite, Wireshark, Recon-NG, Ettercap/Bettercap, Hashcat, Bloodhound, Ida Pro, Ghidra, Sublist3r, Rubeus, Mimikatz, CrackMapExec, Exploitdb, Yersinia, Impacket, etc.)
• Track record of vulnerability research and CVE assignments
• Knowledge of Windows APIs and Living off the Land (LOL) Binaries
• Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls
• Proficient in creating content with Microsoft Office (Word, Excel, PowerPoint, Visio)
• Proficient in basic document management in a Microsoft SharePoint environment
• Experience with dedicated document management tools (e.g., DMS, PolicyTech) is a plus
• Experience with using ServiceNow and Jira is a plus

Certifications or Licenses

• Programmer Certifications for at least one proficient programming language (Java, C#, Go, Rust, Python, etc) is required
• AWS-related certifications (AWS Certified Solutions Architect, AWS Red Team Expert ARTE, etc.) is highly desired
• Security-related certifications (OSCP, OSWE, OSCE, GPEN, GXPN, GWAPT, etc.) is highly desired

Education Experience

• BS in Computer Science, Information Management, Information Security or other comparable technical degree
• 6+ years experience in Full Stack Development using Java, C#, Go, Rust, Python, or at least one proficient language is required
• 3+ years’ experience in Penetration testing or Information Security environment is highly desired

About Us

The Options Clearing Corporation (OCC) is the world's largest equity derivatives clearing organization. Founded in 1973, OCC is dedicated to promoting stability and market integrity by delivering clearing and settlement services for options, futures and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. OCC has more than 100 clearing members and provides central counterparty (CCP) clearing and settlement services to 19 exchanges and trading platforms. More information about OCC is available at www.theocc.com.

Benefits

A highly collaborative and supportive environment developed to encourage work-life balance and employee wellness. Some of these components include:

• A hybrid work environment, up to 2 days per week of remote work
• Tuition Reimbursement to support your continued education
• Student Loan Repayment Assistance
• Technology Stipend allowing you to use the device of your choice to connect to our network while working remotely
• Generous PTO and Parental leave
• 401k Employer Match
• Competitive health benefits including medical, dental and vision

Visit https://www.theocc.com/careers/thriving-together for more information.

Compensation

• The salary range listed for any given position is exclusive of fringe benefits and potential bonuses. If hired at OCC, your final base salary compensation will be determined by factors such as skills, experience and/or education.
• In addition, we believe in the importance of pay equity and consider internal equity of our current team members as part of any final offer.
• We typically do not hire at the maximum of the range in order to allow for future and continued salary growth. We also offer a substantial benefits package as noted on www.theocc.com/careers
• All employees may be eligible for a discretionary bonus. Discretionary bonuses are based on various factors, including, but not limited to, company and individual performance and are not guaranteed.

Salary Range

Incentive Range

This position is eligible for an annual discretionary incentive compensation award, for which the target range is listed above (see Incentive Range). The amount of such award, if any, will be based on various factors, including without limitation, both individual and company performance.

Step 1
When you find a position you're interested in, click the 'Apply' button. Please complete the application and attach your resume.  

Step 2
You will receive an email notification to confirm that we've received your application.

Step 3
If you are called in for an interview, a representative from OCC will contact you to set up a date, time, and location. 

For more information about OCC, please click here.

OCC is an Equal Opportunity Employer