Application Security Consultant - Tampa, FL (Hybrid)

The organization is a premier post-trade market infrastructure provider for the global financial services industry, with over 45 years of experience. With operating facilities, data centers, and offices in 16 countries, the organization and its subsidiaries automate, centralize, and standardize the processing of financial transactions, mitigating risk, increasing transparency, and driving efficiency for thousands of broker/dealers, custodian banks, and asset managers. As an industry-owned and governed organization, it simplifies the complexities of clearing, settlement, asset servicing, data management, and information services across asset classes, bringing increased security and soundness to financial markets. In 2017, the organization's subsidiaries processed securities transactions valued at more than U.S. $1.61 quadrillion. Its depository provides custody and asset servicing for securities issues from 131 countries and territories valued at U.S. $57.4 trillion. The organization's Global Trade Repository service maintains approximately 40 million open OTC positions per week and processes over one billion messages per month through its group of licensed trade repositories.

Being a member of the Application Security team, you will be part of the Technology Risk initiative to support offensive security assessments on applications and provide SME guidance to key projects.

The Application Offensive Security Consultant is responsible for managing, providing technical direction, and performing security assessment on applications. The person in this role should possess good understanding of application security testing, red team / adversarial engagements, and penetration testing and related development expertise to guide project initiatives to ensure security best practices are being used.

Your Primary Responsibilities:

• Perform Offensive Application Testing against applications and APIs.
• Perform application threat hunting to evaluate risk to applications.
• Coordinate with application development teams to collect the application details.
• Provide the vulnerability information in the predefined report format after performing the testing using manual methodology and tools
• Provide assistance to the developers and business teams in detailing the vulnerabilities reported along with the recommendations for remediation
• Align risk and control processes into day-to-day responsibilities to monitor and mitigate risk; escalates appropriately
• Generate reports on assessment findings and summarizes to facilitate remediation, document technical issues identified during security assessments
• Perform threat modeling, design, and code views to assess security implications and requirements
• Be a subject matter expert and respond to any security engineering questions/ requests related to Application Defense enhancements
• Research and implement tools and techniques to secure and continuously monitor the applications
• Collaborate with Security Architects, Product Manager, Risk Managers, and other teams to deliver high quality product.
• Cultivate and maintain relationships with key partners at varying organizational levels

Talents needed for Success:

• Bachelor's degree is desirable
• Minimum of 3 years of experience in App Pentest tools such as Burp Suite or Net Web Inspect
• Certified in OSCP or GWAPT
• A broad and deep understanding of security threats, vulnerabilities, risks associated with nature of applications and APIs
• Experience testing Docker, Kubernetes and other container orchestration solutions.
• Ability to explain vulnerabilities and weaknesses in OWASP Top 10 and SANS Top 25 to any audience and discuss effective defensive techniques
• Understanding of Authentication, Authorization mechanism programmatically across different web technologies and protocols (SSL/TLS, REST, OAuth, SAML etc.)
• Experience in facilitating technical conversations between engineering and operations
• Ability to work under pressure, multitask and be flexible

Skills:OWASP Top 10 and SANS Top 25, App Pentest tools such as Burp Suite or Net Web Inspect, OSCP or GWAPT, SSL/TLS, REST, OAuth, SAML