Informacje o stanowisku

Business Unit Overview

Led by the Chief Information Security Officer (CISO), Technology Risk secures Goldman Sachs against hackers and other cyber threats. We are responsible for detecting and preventing attempted cyber intrusions against the firm, helping the firm develop more secure applications and infrastructure, developing software in support of our efforts, measuring cybersecurity risk, and designing and driving implementation of cybersecurity controls. The team has global presence across the Americas, APAC, India and EMEA. Within Technology Risk, Advisory is the consultative and technology subject matter expertise arm, responsible for assessing new technology initiatives for risk, partnering with engineers to architect and design secure products and services, embedding implementation reviews as part of the SDLC and CI/CD pipeline via code analysis and penetration testing, and guiding technology innovation in terms of security and control across Goldman Sachs. The team plays a critical role in designing and assessing controls for our transition to building native public cloud applications.

Role

In this role, you will join the global Secure SDLC (S-SDLC) team within Technology Risk - the team is responsible for the identification of software security flaws, along with providing security assurance advice and guidance to the engineers to help them manage application risks. You will interact with all parts of the firm giving you the opportunity to grow within the Technology Risk team as well as other divisions within the firm.

The ideal candidate should have experience of integrating, and tuning, software security controls within continuous deployment SDLC, ability to review, triage and remediate findings by interfacing with the Business Units and help raise developer security awareness.

RESPONSIBILITIES AND QUALIFICATIONS

The Secure-SDLC team is responsible for the identification of software security flaws, along with providing security assurance advice and guidance to the engineers to help them manage application risks.

Responsibilities

• Lead and support static, dynamic and security awareness services
• Lead development, maintenance and improvement of detection controls, security reviews, remediation activities and business unit engagements
• Lead S-SDLC training and guidance on security related issues
• Drive adoption of embedded application security controls within Software Development Life Cycle (SDLC)
• Lead product evaluation and help engineer tools and solutions that will facilitate the adoption of security controls across the firm
• Review and provide advice and consultation to business owners for the identified security issues

Basic Qualifications

Have a minimum of 5 years experience in information security or related field. You will use your strong technical, interpersonal, organizational, written, and verbal communication skills to interact with your internal clients locally and globally. Your knowledge of Application Security, Risk Analysis and Risk Management techniques, methodologies and governance will enable you to be an active member of the team along with your professional experience in one, or more, of the following disciplines:

• Understanding of common application security vulnerabilities and controls to remediate.
• Ability to engage technical client base of engineers and communicate security requirements, potential risks and influence development practices
• Ability to communicate security flaws in a clear and concise manner to a broad range of audience from engineers, SMEs to senior management
• Ability to provide clear guidance on vulnerability remediation
• Expert/Advanced knowledge of Secure software development practices and frameworks
• Expert/Advanced knowledge of Secure Code Review and Application Security assessment
• Expert/Advanced knowledge of at least one major programming language (e.g. Java, Python, Go etc.)
• Expert/Advanced knowledge of CI/CD platforms e.g. Gitlab, Jenkins, BitBucket CI, Bamboo, Travis CI, Circle CI, AWS Code Commit and Deploy (or similar)
• Expert/Advanced knowledge of DevSecOps solutions e.g:
• Static Application Security Testing (SAST)
• Dynamic/Interactive Application Security Testing (DAST/IAST)
• Software Composition Analysis (SCA)
• Infrastructure as Code (IaC)
• Container Security
• Mobile Security

Preferred qualifications:

• Program management skills
• Expert Knowledge of Cloud (AWS, GCP, Azure) and Cloud Security applications

Warszawa - Oferty pracy w okolicznych lokalizacjach