Morgan Stanley seeks a senior Application Security professional to drive the delivery of the Secure SDLC program that promotes best practices in application development. The candidate will be responsible for aligning security requirements with the SDLC process by partnering and consulting with leaders in IT, the business lines and peers in Technology Information Risk regarding information security risks, providing solutions to minimize those risks and driving the DevSecOps agenda to ensure application security can meet the needs of the firm.
Principle duties include:
- Ensuring security policy requirements are properly applied to applications throughout the entire development life cycle.
- Ensuring business units understand security policy requirements and factor them in to their activities.
- Provide practice leadership by facilitating a community of like-minded practitioners to share and exchange ideas for growth and improvement
- Partnering with the Application Infrastructure group to integrate secure software development activities and controls with the Firm standard CI/CD frameworks.
- Bachelor’s degree or equivalent in Computer Engineering, Computer Science or a related field of study and at least 5 years of progressively responsible experience performing application security assessments.
- Prior experience must include: performing penetration tests, vulnerability assessments and infrastructure security reviews for web applications and their supporting network infrastructure; and performing secure code review utilizing .Net, J2EE, and C++ for Windows and Unix operating systems.
- At least 3 years of development, architecting, and implementing of enterprise IT security solutions, with focus on application security aspects
- Strong understanding and experience of multiple SDLC methodologies
- Strong experience in rolling out threat modeling enterprise wide that can be consumed by developers and engineers
- Positive impactful communications, excellent leadership, business partnership, and project management skills.
- Ability to collaborate and build positive relationships across multiple stakeholders
- Agile thinking and analysis that leads to win-win and innovative solutions
- Strong written and verbal communication skills.
- Calmness and clarity of thought under pressure and ability to maintain confidentiality.
- Professional security management certification, such as a Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM)
- Strong secure development and programming knowledge of application threats and vulnerabilities.
- Knowledge of static code scan tools such as Fortify
- Knowledge of open source toolsets such as Git/Bitbucket, Jira, Maven, Jenkins, Crucible, JUnit and some knowledge of test automation utilizing software tool such as Selenium will be a plus.
- Familiarity with various industry audit standards including PCI-DSS, SSAE-16 and FFIEC