Application Security Lead Analyst - VP

Overview of the Role

Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments, and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.

As a bank with a brain and a soul, Citi creates economic value that is systemically responsible and in our clients’ best interests. As a financial institution that touches every region of the world and every sector that shapes your daily life, our Enterprise Operations & Technology teams are charged with a mission that rivals any large tech company. Our technology solutions are the foundations of everything we do from keeping the bank safe, managing global resources, and providing the technical tools our workers need to be successful to designing our digital architecture and ensuring our platforms provide a first-class customer experience. We reimagine client and partner experiences to deliver excellence through secure, reliable, and efficient services.

Our commitment to diversity includes a workforce that represents the clients we serve from all walks of life, backgrounds, and origins. We foster an environment where the best people want to work. We value and demand respect for others, promote individuals based on merit, and ensure opportunities for personal development are widely available to all. Ideal candidates are innovators with well-rounded backgrounds who bring their authentic selves to work and complement our culture of delivering results with pride. If you are a problem solver who seeks passion in your work, come join us. We’ll enable growth and progress together.

The Application Security Lead Analyst provides application security services to Citi businesses early in the Software Development Life Cycle (SDLC). Candidate needs to work closely with development teams on latest Application Security tools and processes to integrate security testing. The successful candidate must be an individual who understands modern software development trends, understands engineering-led software security practices, and keeps up with the ever evolving cyber security threat landscape.

Success in the role requires an innovative mind, a proven track record of delivering solutions that meet security needs, integrate application security into our DevOps pipeline, automate security as code and enable successful detection and response to any and all threats in our environment. The primary focus will address testing needs within development organizations striving for continuous deployment and using automated security tooling including SAST, DAST and SCA. Within his/her leadership role, this individual is expected to train and guide application teams as a hand-on participant.

Responsibilities:

The candidate will be responsible for the aspects of the Application Security Program initiatives including but not limited to the following:

• Early Detection of Vulnerabilities : Proactive in identifying and mitigating security risk before they moved to production environment.
• Perform application security testing on various types of applications such as web, APIs (REST/SOAP/Micro services), mobile, etc. by utilizing Static Application Security Testing (SAST), Interactive Application Security Testing (IAST), Dynamic Application Security Testing (DAST) and Component Vulnerability Management (CVM).
• Provide required trainings and guidance to the developers that helps to prevent introduction of vulnerabilities.
• Guide the application teams to proactively identify and remediate the vulnerabilities during the development phase by utilizing the Application Security Tool Suite in the CI/CD pipeline.
• Continuously evaluate application security practices and implement changes that improves developer security experience, reduces risk and accelerate the time to market.
• Build the data analytics and metrics to track the effectiveness of the App Sec initiatives.
• Have the ability to read and understand application source code in order to provide specific recommendations for the identified vulnerabilities to application teams.
• Have strong technical writing and presentation skills to report and articulate security vulnerabilities to technical and non-technical audiences.

Qualifications:

• At least 5 years of experience in security testing performing:
  • Application penetration testing including Web, API, Mobile
  • Source code review preferably in Java or .NET programming languages
  • Software composition analysis
  • Threat modeling
• A good understanding of enterprise application development using programming languages such as Java or .NET.
• Experience in source code management, build and deployment technologies such as RLM, Udeploy, Jenkins, Artifactory, Maven, GitHub, etc
• Good understanding of the following: JIRA, Checkmarx, BlackDuck, Contrast, AWS, GCP, Azure, Docker, Kubernetes, OpenShift, PCF.
• Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.
• Must have a strong understanding of ethical hacking methodologies, frameworks, and industry resources, e.g. OWASP, NIST publications, SANS/CWE, among others.

Education:

• Bachelor’s degree in Computer Science, Information Systems Management, or related field preferred.
• Industry-accredited security certifications will be required. The candidate must have or be willing to obtain certifications from the following industry recognized organizations: Offensive Security, GIAC, ISC2, EC-Council, ISACA, etc.

------------------------------------------------------

Job Family Group:

------------------------------------------------------

Job Family:

------------------------------------------------------

Time Type:

------------------------------------------------------

Primary Location:

------------------------------------------------------

Primary Location Full Time Salary Range:

In addition to salary, Citi’s offerings may also include, for eligible employees, discretionary and formulaic incentive and retention awards. Citi offers competitive employee benefits, including: medical, dental & vision coverage; 401(k); life, accident, and disability insurance; and wellness programs. Citi also offers paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays. For additional information regarding Citi employee benefits, please visit citibenefits.com. Available offerings may vary by jurisdiction, job level, and date of hire.

------------------------------------------------------

Anticipated Posting Close Date:

------------------------------------------------------

Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View the "EEO is the Law" poster. View the EEO is the Law Supplement.

View the EEO Policy Statement.

View the Pay Transparency Posting