Associate Principal, Application Security

What You'll Do:
Working closely with other members of the Security Services, Application Services, Internet Services and Quality Assurance teams, lead secure software development initiatives, projects, and operations. Responsibilities include implementation of security best practices in the software development life cycle (SDLC), guiding application teams in the secure development of custom applications, and integrating custom and commercial software with security infrastructure to support the confidentiality, integrity and availability of enterprise applications.
Primary Duties and Responsibilities:
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.

• Application Security Testing - The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
• Vulnerability Management - The cataloging, reviewing for false positives and mitigations, threat and risk assessments, and lifecycle management through remediation according to SLAs of application vulnerabilities.
• Release Management - Ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
• CI/CD pipeline - Develop scripts to integrate Security tools into the Jenkins pipeline and assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.
• Documentation - Perform administrative and regulatory control activities including development of process and procedural documentation and gathering evidence for audits.
• Process Improvement - Continually enhance current practices, assess current toolset, and help implement new tools and processes to enhance current security coverage.

Supervisory Responsibilities:

• NA

Qualifications:
The requirements listed are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the primary functions.

• Excellent oral and written communication, analytical skills to successfully analyze and communicate complex problem and solutions.

• Organized, curious, persistent, and service-oriented.
• Ability to work independently and effectively with local and remote OCC staff, management, and consultants while exercising sound judgment.
• Critical thinking and Analytical skills (preferred that the applicants have taken information system focused courses)
• Self-starter
• Programming knowledge and coding experience, particularly Python and JAVA
• Basic understanding of system development lifecycle
• Prefer basic knowledge of CI/CD pipelines (Jenkins)
• Prefer knowledge of IAC and containers
• Prefer knowledge of Security control frameworks (RMF, CSF)

Technical Skills:
Required

• General knowledge of scripting languages (Python, etc.)
• Experience performing Application Security manual penetration tests and familiarity with pentesting tools (e.g., Burp Suite, Kali Linux, Postman)
• Knowledge of security architecture design and principles including confidentiality, integrity, and availability.

• Experience with using or reviewing output of automated code scanning tools and development pipeline tools
• Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
• Familiarity with application frameworks and their built-in security services and API's (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
• Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, NS Active Directory and LDAP)
• General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
• Fundamental understanding of network and data communications technologies
• Knowledge of security in Cloud concepts
• Knowledge of Secure DevOps concepts

Preferred

• Experience or relevant training in Terraform and cloud platforms such as AWS
• Experience with Java programming including Java Servlets, JSP, J2EE, Spring.
• Experience with J2EE applications and infrastructure including IBM WebSphere Application Server, WebSphere Portal, BEA Weblogic solutions and development.
• Experience with agile methodologies and Jira

Education and/or Experience:

• Degree in Cyber Security, Engineering, Mathematics, Computer Science, or a combination of education and relevant experience.
• Training or experience in Web App or Network pentesting
• Training in cloud (ex., AWS Cloud Practitioner or Certified Cloud Security Professional)
• 5+ years experience working with Secure DevOps or a development pipeline and release management

Certificates or Licenses:

• Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
• Cloud security/automation certifications a plus (i.e. GCSA, AWS Cloud Practitioner or beyond)
• Penetration testing certifications a plus (i.e. OSCP, GWAPT, Burp Suite Certified Practitioner)

Who We Are
The Options Clearing Corporation (OCC) is the world's largest equity derivatives clearing organization. Founded in 1973, OCC is dedicated to promoting stability and market integrity by delivering clearing and settlement services for options, futures and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. OCC has more than 100 clearing members and provides central counterparty (CCP) clearing and settlement services to 19 exchanges and trading platforms. More information about OCC is available at www.theocc.com.
What We Offer
A highly collaborative and supportive environment developed to encourage work-life balance and employee wellness. Some of these components include:
A hybrid work environment, up to 2 days per week of remote work
Tuition Reimbursement to support your continued education
Student Loan Repayment Assistance
Technology Stipend allowing you to use the device of your choice to connect to our network while working remotely
Generous PTO and Parental leave
Competitive health benefits including medical, dental and vision
Step 1
When you find a position you're interested in, click the 'Apply' button. Please complete the application and attach your resume.
Step 2
You will receive an email notification to confirm that we've received your application.
Step 3
If you are called in for an interview, a representative from OCC will contact you to set up a date, time, and location.
For more information about OCC, please click here.
OCC is an Equal Opportunity Employer