Associate Principal, Application Security

Posted 9 Days Ago
Be an Early Applicant
Chicago, IL
Hybrid
Senior level
Big Data • Cloud • Fintech • Information Technology • Financial Services
We clear and settle trades for the options industry.
The Role
The Associate Principal, Application Security role involves supporting application and software security initiatives by performing penetration testing, conducting security assessments, and managing vulnerabilities in both legacy and cloud environments. The incumbent collaborates with development teams, conducts code reviews, and integrates security tools into development pipelines while ensuring compliance with security policies and best practices.
Summary Generated by Built In

What You'll Do:
This position works closely with other members of the Security Services, IT Development Teams, and Development teams to support application and software security initiatives, projects, and operations.
Responsibilities include:
Candidate would perform Network/Application and Web Application penetration testing. Also create custom scripts and perform automation while also perform security assessments on both legacy on prem and cloud environments. Candidate would also Identify, document and communicate vulnerabilities.
Primary Duties and Responsibilities:
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.
Application Security Testing

  • Perform application penetration testing as part of a team.
  • Perform retests of vulnerabilities to verify previous findings have been remediated.
  • Review reports of the testing and conduct security risk assessment of the vulnerabilities.
  • The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
  • Conduct code scans using automated tools and risk rate the vulnerabilities according to the organization risk profile and mitigating controls.
  • Conduct IT/Security code review meetings to eliminate false positives and encourage collaboration between Security and IT development teams.
  • Assist with application security vulnerability management including implementation of new vulnerability management tools.
  • Setup Command & Control C2 Infrastructure.
  • Understand vulnerabilities and develop relevant payloads for use during pen testing activities.
  • Perform independent reviews of OCC's applications.
  • Debrief users and provide remediation strategy on findings.
  • Ensure alignment of security controls in OCC's testing program and supporting services and related policies and procedures with applicable regulations and industry standard best practices.
  • Perform ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
  • Develop scripts to integrate Security tools into the pipeline and assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.
  • Perform other duties as assigned.


Supervisory Responsibilities:
NA
Qualifications:
The requirements listed are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the primary functions.

  • Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.
  • Exceptional analytical, problem solving and troubleshooting skills with the ability to exercise good judgment while developing creative solutions.
  • Excellent focused domain areas of expertise as well as a good breadth of experience across Network/Application Penetration Testing, Web Application Penetration Testing and more.
  • Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, GCP, IaaS/PaaS/SaaS).
  • Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management
  • Good understanding of regulatory standards including CSF, NIST, PCI, SSAE 16, SAS 70, HIPPA, FIPS 199, COBIT 5 and others as needed.
  • Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
  • Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
  • Exhibit ability to understand and probe/exploit a diverse range of Network and Internet Protocols.
  • Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming languages.
  • Nice to have - Experience working on critical infrastructure in a regulated environment


Technical Skills:

  • Strong proficiency in network, application penetration testing
  • Strong experience with custom scripting (python, C++, PowerShell, bash, etc.) and process automation.
  • Strong experience with database security testing (MSSQL, DB2, MySQL, etc.).
  • Strong proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark etc.).
  • Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.
  • Proficient in creating content with Microsoft Office (Word, Excel, PowerPoint, Visio).
  • Proficient in basic document management in a Microsoft SharePoint environment.
  • Experience with dedicated document management tools (e.g., DMS, PolicyTech) a plus.
  • Experience with using ServiceNow.
  • Familiarity with application frameworks and their built-in security services and API's (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
  • Knowledge of security architecture design and principles including confidentiality, integrity and availability.
  • Knowledge of automated code scanning tools and development pipeline tools
  • Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
  • Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, Active Directory, and LDAP)
  • General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
  • Fundamental understanding of network and data communications technologies
  • Knowledge of (AWS, Azure, GCP) Cloud security concepts, best practices, and environments
  • Knowledge of Secure DevOps concepts


Education and/or Experience:

  • BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
  • 3+ Years' experience penetration testing.
  • 5+ Years' experience in Information Assurance or Information Security environment.
  • Experience writing scripts and working with containers in a CI/CD pipeline
  • Exposure to security architecture design through application development or knowledge of security concepts/best practices
  • Previous work in development, architecture or quality assurance testing may be applicable to the position requirements.


Certificates or Licenses:

  • Security-related certifications (CISSP, CISA, CRISK, ISSAP, GSLC, OSCP, OSCE, GPEN, or GXPN, etc.) highly desired.
  • Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
  • Cloud security automation certifications a plus (i.e. GCSA)
  • Penetration testing certifications a plus (i.e. OSCP, GWAPT)


Who We Are
The Options Clearing Corporation (OCC) is the world's largest equity derivatives clearing organization. Founded in 1973, OCC is dedicated to promoting stability and market integrity by delivering clearing and settlement services for options, futures and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. OCC has more than 100 clearing members and provides central counterparty (CCP) clearing and settlement services to 19 exchanges and trading platforms. More information about OCC is available at www.theocc.com.
What We Offer
A highly collaborative and supportive environment developed to encourage work-life balance and employee wellness. Some of these components include:
A hybrid work environment, up to 2 days per week of remote work
Tuition Reimbursement to support your continued education
Student Loan Repayment Assistance
Technology Stipend allowing you to use the device of your choice to connect to our network while working remotely
Generous PTO and Parental leave
Competitive health benefits including medical, dental and vision
Step 1
When you find a position you're interested in, click the 'Apply' button. Please complete the application and attach your resume.

Step 2
You will receive an email notification to confirm that we've received your application.

Step 3
If you are called in for an interview, a representative from OCC will contact you to set up a date, time, and location.

For more information about OCC , please click here .
OCC is an Equal Opportunity Employer

Top Skills

AWS
Azure
Docker
GCP
Git
Jenkins
Svn
Terraform

What the Team is Saying

The Company
HQ: Chicago, IL
1,033 Employees
Hybrid Workplace
Year Founded: 1973

What We Do

As the foundation for secure markets, OCC is a customer-driven organization that delivers world-class Risk Management, Clearing, and Settlement Services for a sophisticated mix of financial products that includes standard options, stock loans, and futures contracts.

Why Work With Us

We're bound together by values and behaviors that shape the way we work and live, from team projects to after-hours events and to making a difference in our communities. OCC colleagues thrive in an atmosphere of intellectual curiosity, creative problem-solving and effective interaction.

Gallery

Gallery
Gallery
Gallery
Gallery
Gallery
Gallery
Gallery
Gallery

OCC Offices

Hybrid Workspace

Employees engage in a combination of remote and on-site work.

A hybrid work environment, up to 2 days per week of remote work

Typical time on-site: 3 days a week
Company Office Image
HQChicago, IL
Company Office Image
Dallas, TX
Company Office Image
Washington, DC
Learn more

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account