Security Architect (SecDesign Integrator – Cloud & App Security)

Sécurité Architect (SecDesign Integrator – Cloud & App Security)

Expérience, localisation et modalités

• Experience: 10+ years
• Location : Montreal
• Hybrid: Required 3 days in office

Description du poste

La mission de l’équipe SecDesign est de fournir des évaluations d’architecture de sécurité des systèmes technologiques et des processus afin d’identifier les risques pour l’entreprise et de recommander des actions correctives en se basant sur des normes de sécurité établies ou des meilleures pratiques en sécurité. Le SecDesign Generalist est un consultant interne qui travaille sur plusieurs évaluations d’architecture et de conception en matière de sécurité couvrant plusieurs classes de technologies. C’est une opportunité de contribuer à plusieurs unités d’affaires et technologies inhérentes à la mission de SecDesign. L’Integrator travaille avec des membres de l’équipe (Technologie, Affaires, Fournisseurs, Parties prenantes et Partenaires) à l’échelle mondiale afin d’effectuer des évaluations SecDesign. Pour réussir en tant qu’Integrator, le candidat doit avoir une expérience technologique étendue, combinée à des compétences en gestion des risques, en communication et en gestion du temps. Le candidat travaillera également avec une équipe mondiale d’experts pour moderniser la plateforme SDLC de l’entreprise afin de permettre le déploiement automatisé vers des endpoints cloud privés et publics ainsi que vers des outils basés sur SaaS. Ce rôle offre l’opportunité de s’impliquer dès le départ afin de contribuer à construire la prochaine génération d’outillage de développement et de déploiement pour un ensemble diversifié de piles technologiques pour la prochaine décennie.

Un SecDesign Generalist a les responsabilités suivantes :

• Lead SecDesign deep dives avec le demandeur de l’évaluation.
• Prioriser les risques identifiés en fonction des risques pour l’entreprise.
• Réaliser l’évaluation et fournir au demandeur les risques/le] besoins en matière de technologie. Domaines couverts :

• a. Authentication, Authorization, Auditing
• b. Application Security – Session Security, Vulnerability/Pen Testing items, Input Validation
• c. Secure data transport and storage
• d. Network Security Principles and best practices.
• e. Cloud Security Principles and best practices

• 1. Periodically review security reference architecture (security blueprints) and conduct updates/enhancements.
• 2. Participate in various Operational and Technology Risk governance processes.
• 3. Assist in identifying new areas and opportunities of technology investment for the firm.

Compétences et expérience

Soft Skills (Required)

• Excellent communication skills: written, oral, presentation, listening.
• Ability to influence through factual reasoning.
• Time management: ability to handle multiple concurrent assessments, plan based deliverable management, strong follow up and tracking.
• Strong focus on delivery when presented with short timelines and increased involvement from senior management.
• Ability to adjust communication of technology risks vs business risks based on the audience.

Compétences en architecture de sécurité

• Required – In depth knowledge of application, network, and platform security vulnerabilities. Ability to explain these vulnerabilities to developers.
• Required – Experience in conducting Information Security, IT Security, Audit assessments. Presenting the outcomes of the assessment and obtaining buy in.
• Required – Strong focus on reviewing technical designs and functional requirements to identify areas of Security weakness.
• Required – Knowledge of Cloud Service Providers (AWS/Google/Azure) cloud, DevOps and CI/CD
• Required – The candidate must have working experience in at least three of the following application/network security domains :

• a. Authentication: SAML, SiteMinder, Kerberos, OpenId
• b. Entitlements and identity management
• c. Data protection, data leakage prevention and secure data transfer and storage
• d. App Security - validation checking, software attack methodologies.
• e. Cryptography – encryption and hashing

• Desired - Prior experience administering systems for version control (Bitbucket, Github), issue tracking (Jira), continuous integration (Jenkins, Github Actions), or release management.
• Desired – Knowledge of standard network model and the risks that present at each layer, the functions of network equipment such as switches, routers, firewalls, proxies, VPNs, and load-balancers, and understanding of common network architectures.
• Desired - The candidate must have working knowledge of the primary operating systems (Unix, Windows, z/OS, Mac OS), the configuration and management of that platform at an enterprise scale, the security risks to that platform, and how to mitigate those risks.
• Desired - experience in testing tools, at least one of Veracode, Fortify, OunceLabs, AppScan, WebInspect, Burp

Expérience en développement

• Required – Even though the SecDesign Integrator role is not a development role, the candidate must have previous background in programming, design, and application architecture.
• Required – In order to be a practical SecDesign Integrator the candidate must have experience implementing complex applications in an enterprise environment.
• Required – working knowledge of programming and scripting languages: Java, JavaScript, C#, C/C++, Perl, Python, Ruby
• Desired – In-depth knowledge of web technologies such as Web Browsers, Web Servers, Web Services

Autres domaines d’expertise

• Frameworks, protocols, and subsystems: J2EE, .NET, Spring, RPC, SOAP, MQSeries, JMS, RMI, JMX, Hibernate.
• Knowledge of JSP /Servlet/EJB or ASP.NET, HTTP/HTTPS, Cookies, AJAX, JavaScript, Flex / Silverlight.
• Database design and programming experience
• Experience of liaising with 3rd Party Entities (exchanges, suppliers, regulators)
• Experience in conducting and / or reviewing penetration tests, dynamic vulnerability assessments and static vulnerability assessments.
• Understanding of geographic regulations and their impact on Security assessments
• Previous experience in Financial Services is preferred.
• CISSP or other industry qualification
• Desired – experience working with global organizations.