TIAA Application Security Tester in New York, New York
Since 1918, it has been TIAA’s mission to serve, our ability to perform and the values we embrace that make us a different kind of financial services organization. We’re dedicated to serving the financial needs of those in the academic, medical, cultural, governmental and research fields, and committed to helping make lifetime financial well-being possible for them.
By building a culture that allows all employees to contribute their unique talents and skills, we’re able to provide our customers with fresh ideas and distinct perspectives to help them achieve their goals. We believe a diverse and inclusive workforce is one of our greatest strengths and a key measure of our success * .
For more information about TIAA, visit our website at https://www.tiaa.org/public/why-tiaa/who-we-are .
This candidate will be primarily responsible for assessment of application source codes, dynamic application testing and other testing duties as necessary to ensure system compliance to security standards and baselines. Assessments will cover a complex application environment including a mixture of mostly J2EE, with some .Net and other languages/platforms. All discovered vulnerabilities must be registered with central management tools and communicated to the responsible parties and action plans developed for timely remediation. Metrics and reporting to senior management will demonstrate overall security risk reduction and business benefit of this program.
KEY RESPONSIBILITIES AND DUTIES:
Planning and managing the delivery of Application Security tests (both automatic and manual), and source code reviews on high risk web applications
Partnership with Risk, Compliance, and Audit to determine the high risk applications and creation of formal testing schedules
Responsible for managing or providing developer application security awareness and education
Application inventory administration of automated source code security solutions
Assisting with the development of a best-in-class testing methodology based on application risk scoring
Provide expert assistance to application groups concerning application security
Support the Information Security project team by leading efforts requiring application security subject matter experts
Windows, UNIX and Linux operating systems, Active Directory
C, C , C#, Java, ASM, PHP, PERL
Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
Computer hardware and software systems
Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
Security tools and products (Fortify, AppScan, etc.)
3-5 years or more of related experience in Information Security performing any of the following: secure source code analysis, ethical hacking, and penetration testing.
Experience with object oriented development with Java or .Net
Additional Necessary Skills:
Working knowledge of various development platform and framework, including but not limited to one or more of the following: Maven, ANT, ATOM, SPRING
Understanding of current threats and exploits to include experience with threat remediation
Understanding of OWASP methodology
Experience with application vulnerability assessment tools (IBM, HP, or open source)
Understanding of common application security issues & risks
Application security experience with remediation of SQL injection, buffer overflows, parameter manipulation, cross-site scripting, etc.
Strong oral and written communication skills
Bachelor degree in Computer Science / Information Systems
Military or Government security experience is a plus
Development background using Eclipse or Visual Studio desirable
Security certifications such as CISSP, CSSLP, GIAC, Security desirable
Strong technical, operational expert that can implement technology that enables business processes
Experience with mobile application development a plus
Understanding of operating systems and application security configuration
Knowledge of one or more risk assessment methodologies a plus
Ability to grasp new technology concepts quickly and assist others in understanding them as well
Ability to work in a team environment and interact with people. Ability to meet pressured deadlines and time constraints
Ability to communicate findings to non-technical / non-IT personnel with sufficient clarity as to understand the risk entailed in the finding; including suggested resolutions for remediation
Equal Employment Opportunity is not just the law, it’s our commitment. Read more about the Equal Employment Opportunity Law at http://www1.eeoc.gov/employers/upload/eeocselfprint_poster.pdf .
If you need assistance applying due to being visually or hearing impaired, please email Careers Help .
This organization is an equal employment opportunity (EEO) employer, dedicated to maintaining a work environment free of bias, harassment, discrimination and retaliation. As an EEO employer, this organization expressly prohibits discrimination, harassment, and retaliation on the basis of race, creed, ethnicity, color, age, religion, sex, sex stereotype, pregnancy (including childbirth, breastfeeding or related medical conditions where applicable), sexual orientation, gender, gender identity, gender expression, transgender, marital status, national origin, ancestry, physical or mental disability, requesting a reasonable accommodation based on mental or physical disability, medical condition (as defined by applicable law), genetic history and information, citizenship status, military or veteran status, or any other status protected by federal, state, or local law or ordinance or regulation (collectively referred to here as “protected characteristics”).
- ©2016 Teachers Insurance and Annuity Association of America (TIAA), 730 Third Avenue, New York, NY 10017
Job: Information Technology
Primary Location: NC-Charlotte
Req ID: 1710387