Cybersecurity DesignReviewer Architect

ROLE: Cybersecurity Design Reviewer/Architect

WHO WE ARE:

We are responsible for detecting and preventing attempted cyber intrusions against the firm helping the firm develop more secure applications and infrastructure developing software in support of our efforts measuring cybersecurity risk and designing and driving implementation of cybersecurity controls. The team has a global presence across the Americas APAC India and EMEA.

Within Technology Risk Advisory is the consultative and technology subject matter expertise arm responsible for assessing new technology initiatives for risk partnering with engineers to architect design and maintain secure applications and infrastructure embedding implementation reviews as part of the SDLC and CI/CD pipeline via code analysis and penetration testing and guiding technology innovation in terms of security and control.

The team plays a critical role in designing and assessing controls for our transition to building native public cloud applications.

HOW YOU WILL FULFILL YOUR POTENTIAL:

You will be part of the global Technology Risk organization overseeing a subset of business-critical applications. Within that scope your job will be to review and consult major application changes at the design/architecture stage from the information security perspective. You will be the security-related single point of contact for your application teams aggregating signals from additional sources like penetration tests and bug bounty reports to advocate for best-in-class security standards.

Your responsibilities will include:

• Conduct cybersecurity design reviews including those for AI and machine learning solutions challenging and validating architectures prepared by development teams to ensure robust security practices are embedded from the start.

• Serve as a cybersecurity advisor providing expert guidance and best practices to teams on secure design and implementation strategies with a particular emphasis on web applications and AWS infrastructure.

• Drive organizational change by creating documenting and promoting effective security patterns and actively supporting developers in applying them within their projects.

• Conduct Read-out Calls with the business to articulate risk and recommend a mitigation strategy.

• Analyse reports and findings from penetration tests and code reviews guiding development teams in the effective resolution of identified security issues.

• Mentor and support junior team members fostering their growth and development within the cybersecurity discipline.

BASIC QUALIFICATIONS:

• 4 years experience in one or more technical roles (focusing on application security and cloud security).

• Prior experience in performing Threat Modeling Secure Design Reviews or Secure Architecture Reviews.

• Degree in Computer Science System/Computer Engineering Cyber-Security or Information Security.

• Practical knowledge of the most common cybersecurity vulnerabilities - e.g. OWASP Top 10 and cloud security gaps.

• Strong experience with AWS security services and best practices (e.g. IAM Security Groups KMS CloudTrail GuardDuty Inspector).

• Knowledge of authentication and authorization protocols including OAuth OIDC and SAML.

• Knowledge of secure coding practices.

• Familiarity with Security standards such as OWASP Testing Guide OWASP ASVS NIST and SANS Top 20.

• Knowledge of common security controls and how they apply to different architectures and systems including but not limited to authentication monitoring input validation and secure configuration.

• Experienced in application vulnerability assessment and penetration testing. Proficient with security tools such as scanners debuggers and HTTP proxies.

• Familiarity with modern and common web stack technologies (e.g. HTTP/2 HTML5 REST etc.) and platforms (e.g. Spring Boot React NodeJS Python MS SQL PostgreSQL MongoDB etc.).

• Knowledge of core cryptography (encoding encryption hashing protocols) and their use and vulnerabilities in applications such as TLS and algorithm-specific attacks.

• Strong English communication skills both written and verbal to effectively convey risks to technical and management stakeholders.

• Demonstrated ability to keep up-to-date with evolving security threats vulnerabilities and mitigation strategies through continuous learning and professional development.

PREFERRED QUALIFICATIONS:

• Understanding of network security vulnerabilities and associated risks.

• Proficient in operating system hardening and security protection

• Ability to conduct risk assessments for emerging technologies such as AI/ML.

• Experience in doing architecture review of Mobile applications.

• Understanding Kubernetes security principles and practices.

• Proficiency in cybersecurity principles and practices related to Azure and GCP.

• Experience with securing trading and payments platforms including knowledge of relevant compliance requirements (e.g. PCI DSS).

• Knowledge of data Protection Strategies (data encryption at rest/in transit access control policies data masking tokenization data loss prevention regular backups etc.)

• Experience with infrastructure-as-code tools such as Terraform CloudFormation or AWS CDK.

• Experience in crafting custom proof-of-concept application exploits using testing tools/frameworks or scripting exploits in Python Perl JavaScript Shell scripting etc.

• Certifications and training in related areas (e.g. AWS Certified Security - Specialty GCP Cloud Security Engineer Azure Security Engineer Associate).