Application Security Lead

IG GROUP HOLDINGS PLC ,
London, Greater London

Overview

Job Description

Job Title Application Security Lead Job Description JobDescription: Delivering secure applications requires a combination of technical expertise and strong collaboration skills with a proven ability to influence large technical teams to learn and apply new techniques and processes. This rolewilllead a small team ofAppSecspecialists toshape and improveIG's approach to application security though proposing and implementing effective strategiesto achieve more secure applications. This role sits within thelargeroperational securitygroup,but is primarily concerned with embedding and strengthening secure developmentpracticesand skills withinoursoftware development teams(600+ developers).We expect this to be accomplished through a mixture oftechnical training, improved ways of working,threat modeling,code standardsand reviews,and automatedcodevalidation. The successful candidate will have considerable freedom to determine the most appropriate methods and approaches that accomplish IG's overall goals in this space. Core functions the AppSec Lead is expected to perform include: Team Leadership * Working with other stakeholders in IT and Security teams, develop a holistic strategy for application security. * Lead a small team of application security engineers to deliver the application security strategy. Secure Software Development Lifecycle SSDLC * Act as a subject matter expert for application security at all stages of the development lifecycle. * Develop and refine our Secure Software Development Lifecycle in line with our existing AgileSDL, while recognizing that there is no one-size-fits-all development process. * Integrate threat modeling practices into the Software Development Lifecycle, and support development teams in conducting these assessments. * Contribute to the definition of non-functionalsecurityrequirements, and work with the architecture function to design and implement secure application architectures and standards. Training & Engagement * Develop andmanagean on-going trainingprogram for software developerson secure coding practices and techniques. * Embed security code review into the standard pull-request process. * Host and engage a community for those within IT with an interest in or aspirations towards application security. Application Vulnerability Management * Assess the risk of discovered vulnerabilities, and advise on remediation methods. * Collaborate with the QA team to deliverinternal security testing andautomated code reviews (SAST/DAST/etc) as part of the build/deployment pipeline. * Manage external sources of vulnerability information, including penetration testing, bug bounty, and responsible disclosure programs. * Lead periodic reviews of our existing application estate to detect and triage vulnerabilities in current/legacy applications. Incident Response * Lead the technical response to application security incidents * Ensureplaybooks for the response to application security alerts and incidentsare adequate * Train the SOC team to successfully investigate and respond to application security incidents Other * Assist with the training and development of othersecurityteam members,shareknowledge and demonstratebest-practices by example. * Lead internalprojectstoimproveapplication security, such ascontrasting competing tools or technologies,re-designing existing security controlsand assessing the impact of changes to IG's IT environment. * Take an active role as the security SMEin development projects where required,ensuring that security issues are considered andimplemented appropriately. Essential Skills and Attributes : This is an experienced role, and therefore candidates are expected to convincingly satisfy most of the listed requirements. Successful candidates will demonstrate an independent and self-motivated approach to continuing the development of their skills and knowledge. * Strong background in application security engineering with a proven record of defining/implementing SSDLC. * Experience designing and/or delivering training for secure coding, and ideallyhaving implementeda secure coding improvement program with multiple facets (policy, standards, training, gamification, recruitment, feedback, etc) * Deep understanding of OWASP Top 10 & MITRE CWE 25 * Experience performing application threat modeling exercises * Demonstrably involved in staying up to date with developments in theAppSecfield (e.g. OWASP chapter, online communities, conferences/seminars) * A clear understanding of risk management concepts and able to help alignAppSecactivities to an enterprise riskmanagementframework * Previous experience working in a professional development role (ideally Java/C++)or demonstrable portfolio of developed applications. Desirable Skills and Experience : * SAST/DAST Tools * Jenkins andGitlab * Java on Tomcat * Kafka, Kubernetes, and Docker * AWS * WAF, DDoS Protection, SSL inspection, HSM and related security tools * Applicationpentestingtools (Intercepting proxies, app scann