Job Description

Description:
The position is a cross-functional role that will be responsible for various Application Security program initiatives. The position reports directly to the Application Security Program Director. The successful candidate must be an individual who understands modern software development trends, understands engineering-led software security practices, and keeps up with the ever evolving cyber security threat landscape. The successful candidate will liaise with internal groups and our regional partners to ensure that program deliverables are met.
Success in the role requires an innovative mind, a proven track record of delivering solutions that meet security needs, integrate application security into our DevOps pipeline, automate security as code and enable successful detection and response to any and all threats in our environment. The individual will work closely with SSDLC program to contribute to defining application security testing standards and policies. Responsibilities include defining testing services and methodologies (be they tool-based and/or manual) in the early SSDLC lifecycle. The primary focus will address testing needs within development organizations striving for continuous deployment and using automated security tooling including SAST, DAST and SCA. Within his/her leadership role, this individual is expected to mentor team members, set direction and lead execution of services as a hand-on participant.

Key Responsibilities:
The candidate will be responsible for the aspects of the Application Security Program initiatives including but not limited to the following:

Establish/manage multiple security programs that support the security testing requirements at the bank

Forging and maintaining strong working relationships with development functions/teams, product delivery teams, project management, third party management, enterprise architecture, audit teams, etc.

Participate in security and technology strategic planning to ensure identified risk governance is incorporated into the CISO enterprise strategy.

In partnership with business sectors, run delegate action groups to provide recommendations to strengthen development processes and security testing

Appropriately assess risk and provide software security advice when business decisions are made

Interface with Application Security Program Team to oversee Program Projects and Initiatives and make strategic recommendations to senior manager on standards and policy changes

Qualifications

Manage APAC Early Application Vulnerability Detection (EAVD) operations and collaborate with NAM stakeholders to drive security initiatives across the region

Experience in key activities within software security group such Threat Modeling / Application Risk Assessment, Vulnerability Assessments, Training.

Pre-requisites for this position are a Bachelor\'s Degree with 4 - 6 years\' experience in application development or application secure code review

Experience must include experience as a technical lead or manager

Knowledge of cloud computing concepts and DevOps tools (OpenShift, Kubernetes, Docker, Chef, etc)

Experience using or testing cloud platforms (AWS, Google, Azure, etc) and security in/of the cloud is a plus

Understanding of security, web-based and infrastructure vulnerabilities is required

Experience in source code management, build and deployment technologies such as RLM, Udeploy, Jenkins, Artifactory, Maven, GitHub, etc

Experience conducting vulnerability assessments and articulating security issues to technical and non-technical audience.

Understanding of Checkmarx, AppScan Source, Fortify, Veracode, SonarQube, Snyk, Sonatype or Black Duck platform is a plus.

Knowledge of tools and processes used to expose common vulnerabilities and implement countermeasures is expected.

Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.

Demonstrated knowledge of recognized security industry standards and leading practices (e.g., FFIEC, NIST, C2M2, ISO)

Relevant professional certifications: GIAC, CISA, CISM, CRISC, CISSP or equivalent desired

Effective strategic planning and execution abilities with exceptional planning

Demonstrate advanced functional understanding of Security industry operations, technologies.

Education:

Bachelor\xe2\x80\x99s degree/University degree or equivalent experience

Master\xe2\x80\x99s degree preferred



Job Family Group: Technology



Job Family: Information Security



Time Type: Full time



Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi\xe2\x80\x9d) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review .

View the " " poster. View the .

View the .

View the

Citigroup