Director of Application Security
Job Summary
Leadership position responsible for spearheading the vision, design, and implementation of Application Security (AppSec) program for CNA. This position leads the AppSec team, develops AppSec strategies, and conducts application security assessments for the selection, development and implementation of enterprise applications. This position will focus on designing strategies for assessing in-house developed applications design review, threat modeling, manual code review, and collaborating with application owners to remediate risk.
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Lead the Application Security program as an AppSec SME throughout a global technology organization with in-house developed applications and various legacy and modern systems within data centers and the cloud.
- Lead and mentor a team of AppSec professionals across the DevSecOps, SAST/DAST, Software Composition, and SDLC disciplines.
- Develop enterprise policy and technical standards with specific regard to application security management and secure development standards.
- Document technical issues identified during AppSec assessments and correlate technical issues across applications to update application security standards.
- Define and report on AppSec assessments utilizing the Common Vulnerability Scoring System (CVSS) classifications and standards.
- Fully understand business requirements and work with them to define appropriate solutions for security objectives while meeting the business need.
- Be a champion for AppSec and information security including broadening awareness and use of the team's services, education of security best practices and integration with other business areas.
- Provide guidance, technical expertise, and support to team members regarding application assessments.
- Develop and improve KPIs and metrics for AppSec functions.
- Participate and lead new projects as needed.
May perform additional duties as assigned.
Reporting Relationship
Typically AVP or above
Skills, Knowledge & Abilities
- Proven track record of leading AppSec teams with proven knowledge and competence in security concepts and strategies and the ability to successfully implement them.
- Expert knowledge of a pplication vulnerability management tools and strong technical understanding and experience assessing vulnerabilities and identif ying weaknesses in multiple in-house developed applications across multiple on-prem and cloud platforms. Experience with one or more of the following tools: Fortify, Veracode WebInspect, Burp Suite, Nexus and others.
- Strong written and verbal communication skills with the ability to collaborate through all parts of the business.
- High performance skillset which not only understands the threat spaces as it relates to risks, but also able to meet the technical challenge of communicating this out to our teams.
- Leadership skills which bring out the best in the team. This includes both direct leadership but also cross-functional capabilities.
- Excellent ability to effectively interact and communicate with all levels of external vendor and/or internal business partners within scope of responsibility, team and/or matrix environment
- Reporting gaps in a meaningful way that addresses a business risk as well as providing technical solutions to the operations teams in remediation is key.
- Experience in working across public cloud and on-premises hybrid infrastructure.
- Self-starter with the ability to make independent decisions and the judgment to know when to seek guidance.
- Fundamental understanding of risk vs severity.
- Comfort in a diverse technology environment spanning multiple operating systems and architectures.
- Strong understanding of enterprise, network, system/endpoint, and application-level security issues and risks.
Education & Experience
- Bachelor's degree in Computer Science, or related discipline, or equivalent work experience.
- Typically a minimum of ten years' related work experience in Information Technology, preferably with at least four years of experience in Application Security.
#LI-JB1
#remote