Senior Application Security Analyst (VP)
As a bank with a brain and a soul, Citi creates economic value that is systemically responsible and, in our clients’, best interests. As a financial institution that touches every region of the world and every sector that shapes your daily life, our Enterprise Operations & Technology teams are charged with a mission that rivals any large tech company. Our technology solutions are the foundations of everything we do. We keep the bank safe and provide the technical tools our workers need to be successful. We design our digital architecture and ensure our platforms provide a first-class customer experience. Our operations teams manage risk, resources, and program management. We focus on enterprise resiliency and business continuity. We develop, coordinate, and execute strategic operational plans. Essentially, Enterprise Operations & Technology re-engineers’ client and partner processes to deliver excellence through secure, reliable, and controlled services.
Trust is part of our DNA at Citi. As such, we take safeguarding our customer data very seriously. The Chief Information Security Office (CISO) is made up of deeply dedicated and talented colleagues who work together to ensure the safety of Citi’s and our clients’ assets and information. We manage information security as an end-to-end program – one with a clear mandate and accountability. Our mission is to continually execute and enhance a global security program that is fully anchored to modern control and security frameworks, fully aligned with the technology of the firm, threat-focused and data-driven, and deeply integrated across all Citi businesses globally.
Being talent-driven, we are focused on attracting, developing, and retaining diverse and inclusive talent with a high technical skill level. As a member of our team, we will provide you with career development opportunities at all stages of your career. Our employees model a passion for protecting Citi and our clients and believe in treating others with dignity and respect.
Our commitment to diversity includes a workforce that represents the clients we serve globally from all walks of life, backgrounds, and origins. We foster an environment where the best people want to work. We value and demand respect for others, promote individuals based on merit, and ensure opportunities for personal development are widely available to all. Ideal candidates are innovators with well-rounded backgrounds who bring their authentic selves to work and complement our culture of delivering results with pride. If you are a problem solver who seeks passion in your work, come join us. We’ll enable growth and progress together.
#CISO
Senior Application Security Analyst (VP)
Are you interested in growing your career in Cyber Security?
Whether you are an application developer looking to make the switch into the challenging, yet rewarding, world of information security, or you are an elite white-hat hacker, Citi is the place for you. Our team of world class, talented individuals, who are passionate about security, put their skills to the test every day on a global scale. At Citi, you will be exposed to all sorts of technologies on enterprise-scale, so hunger for knowledge and research is greatly appreciated and rewarded.
As a member of the AppSec team, your duties include interfacing with development organizations to onboard applications to our automated security testing platform and performing secure code review assessments using commercial static analysis tools like Checkmarx, Snyk, and Fortify. The team works in partnership with Global Information Security to roll out the Secure-SDLC across the Citi enterprise. Most of the team has achieved industry standard security certifications (GWEB, GWAPT, CEH, GIAC, etc.) over time and we are looking for motivated individuals eager to learn.
Responsibilities:
Perform analysis and execution of scans for Software Composition Analysis findings, mobile scanning vulnerabilities.
Review and validate automated testing results and prioritize actions that resolve issues based on overall risk. Perform application security tests using binary analysis.
Perform manual source code review for security vulnerabilities. Analyze source code to mitigate identified weaknesses and vulnerabilities within the system.
Identify opportunities to automate and standardize information security controls and for the supported groups. Participate in conference calls with engineering team to ensure proper scan coverage and effective results.
Write formal security assessment report for each application, using our company's standard reporting format.
Direct the development and delivery of secure solutions by coordinating with business and technical contacts. Collaborate with application teams to ensure that any identified security vulnerabilities are remediated in a timely manner.
Manage and execute security assessments for multiple projects simultaneously and ensure project timelines are met.
Research and explore new testing tools and methodologies. Act as a mentor to the junior team members.
Actively participate in research and knowledge sharing discussions with broader Vulnerability Assessments organization. Reduce risk by analyzing the root cause of issues, their impact, and required corrective actions.
Appropriately assess risk when business decisions are made, demonstrating consideration for the firm's reputation and safeguarding Citigroup, its clients, and assets, by driving compliance with applicable laws, rules and regulations, adhering to Policy, applying sound ethical judgment regarding personal behavior, conduct and business practices, and escalating, managing and reporting control issues with transparency.
Qualifications:
At least 5 years of relevant experience in web development, source code review, or application security testing.
Basic understanding of application security and associated vulnerabilities
Development background in Java/J2EE, C#, .NET in an enterprise environment
Development experience with modern JavaScript frameworks, Python, JSON, Lambda
Good understanding of the Software Development Life Cycle – including unit testing, code scanning
Experience using ALM and CICD tools like Bitbucket, GitHub, Jenkins, udeploy, BMC RLM, tekton or related tools in an agile methodology.
Familiarity with static analysis (source code review) and application pen-testing techniques
Experience using commercial enterprise automated security testing tools such as Checkmarx, Snyk, AppScan Source, Fortify, Veracode, Blackduck, Sonatype, Contrast, Seeker, NowSecure is a plus.
Knowledge with mobile platforms and languages including Android, Kotlin, Objective-C, Swift is a plus.
Experience using or testing cloud platforms (AWS, Google, Azure, etc.) is a plus.
Proven influencing and relationship management skills.
Consistently demonstrates clear and concise written and verbal communication.
Professional certifications, such as CISSP, CSSLP, GIAC, CEH, or willingness to obtain.
Education:
Bachelor’s degree in technology, Computer Science, Engineering, or related field
Master’s degree is a plus.
Critical Competencies:
Enterprise Application development using Java/J2EE, Spring
Application Security Testing and Source Code Review
