Application Security Lead - Cybersecurity

Job description

JPMorgan Chase & Co. (NYSE: JPM) is a leading global financial services firm with assets of $2 trillion and operations in more than 60 countries. The firm is a leader in investment banking, financial services for consumers, small business and commercial banking, financial transaction processing, asset management, and private equity.

Our Business
With assets under supervision amounting to $2.2 trillion and $1.5 trillion in assets under management, J.P. Morgan Asset Management (AM) is one of the largest asset and wealth managers in the world. We service institutional, high net worth and retail clients through J.P. Morgan's Asset Management, Highbridge Capital Management and Private Banking; which includes the Private Bank, Private Wealth Management, and J.P. Morgan Securities sub-line's of business.

Asset Management's Infrastructure Application Services' (AMIAS) team develops and manages the suite of applications, infrastructure components and systems that support client reporting, business profitability analysis, information websites, investment engines, pricing databases, decision-making and data processing. The technologies we support and provide oversight for include; data centers, servers, desktops, networks, communications systems, contingency sites and much more.

Our team
AMIAS is comprised of a global management team who specialize in:
· Architecture and Engineering
· Business Management
·  Information Security
· Distributed Computing
· End User Technology
· Implementation Management
· Infrastructure Solutions Management
· Innovation
· Production Support
· Program Management

Information Security Organization
Information Security's purpose is to ensure the security and resiliency of the Firm's computing environment, protect customer and employee confidential information, and comply with regulatory requirements globally. The organization's goals are accomplished through strong information security leadership and active collaboration with line of business information risk managers to provide high quality security solutions and services that improve the Firm's risk posture.

Given the changing threat landscape, Information Security will be aggressively implementing a large number of security initiatives and enhanced controls which will impact both the firm's workforce and customers.

The Application Security Lead will be part of the Asset Management Cyber Threat Organization which is responsible for working with the various AM software application development teams in JPMC to help them analyze and determine the applicability and severity of identified potential security vulnerabilities. The Application Security Leader will consider the risk and severity of the vulnerability, comprehend any compensating controls and make joint assessment with AD team on exploitability and severity. Offer suggestions on remediation methods such as compensating controls, version upgrades, and technology changes. Monitor data feeds with new vulnerability and patch information as well as inventory/usage changes to proactively engage with the appropriate development teams to help determine appropriate plan of action. The position has opportunities to build cutting edge web/net/mobile vulnerability inspection rules, to determine false positives of the scanning results, and to provide remediation recommendations. The position will work closely with the Asset Management AD teams, Static Scanning Support Team, Mobile AD and Support Team, KPI Reporting Team (Radar/MAS), and external business partners to ensure that technologies and best practices are properly applied to protect JPMC's products, services, and customer information.

Responsibilities
· Contribute to the success of the AM Application Security program by working with security architects, software security champions (SSCs), Application Security Champions (ASCs), application development (AD) managers, application developers, and information risk managers (IRMs) to deploy software security controls effectively.
· Govern, build, and maintain Asset Management's static scanning complex's global rules/filters/templates and vendor rulepack updates. Including but not limit to re-certification activities, change impact analysis, effectiveness assessments, and release tests for the crucial application security components.
· Coordinate and facilitate meetings to analyze code, to build application specific custom rules/filters, to implement and maintain the application specific rules/filters.
· Drive the vulnerability remediation efforts including identifying the vulnerability scenarios through the SSAP static scanning report, determining the remediation methodologies for the issue, coordinating task force formed by different LOB members, and delivering the remediation run book to be shared by the AD communities.
· Work with AD teams to implement and maintain security frameworks within their applications.
· Provide expertise and support for security practices and controls in the rule development and deployment process (i.e. threat modeling, static scanning, native configuration checking, and pen testing)
· Distribute security intelligence and tangible security guidance to the ASCs, develop, modify and provide training material to the ASC forum and to be able present worldwide training to the ASC community to keep our development teams fresh with the most currently available security knowledge.

Desired profile

Qualifications
BS degree in computer engineering or equivalent and at 7-10 years of relevant experience in the information technology field.
· 5+ years of hands on application security experience
· 5+ years of hands on software development experience
· 5+ years of experience in software security and software security vulnerabilities
· Expert knowledge of software vulnerability remediation techniques and libraries
· Expert knowledge of NVD, CVSS scoring, risk ranking, threats and vulnerabilities, and performing web application security assessments
· Proven ability to perform successful security code reviews. Must be able clearly articulate your role in conducting the review, issues you have been able to identify and how you were able to successfully remediate the issue with the associated development team.
· Understanding of static code analysis tools principles and practices (i.e. HP Fority, IBM Appscan Resource, Pylint, RATS, Veracode, BlackDuck) with experience providing development teams tangible guidance to remedy vulnerability defects.
· Experience in working with common OSS frameworks.
· Thorough working knowledge of J2EE and security solutions within that framework.
· Deep code-level knowledge of common software security vulnerabilities and remediation methods for Java applications.
· Deep knowledge of the OWASP Top 10 and the ability to explain how these issues should be remediated.
· Expert level analyst with proven capability to comprehend various technology stacks related to web security, authentication, database security, session management, business logic and input validation methods.
· A minimum of 3 years of data analysis utilizing SQL queries, Excel and Access. The position requires the ability to generate reports and analyze data sets, utilizing custom written SQL queries and Visual Basic for both Excel and Access.
· Proficiency with CVSS, CVE and related schema and scoring.
· Knowledge of common open source applications from Apache, Oracle, etc. and their known security vulnerabilities will be a job requirement.
· Strong technical acumen, communication and influence skills. You should have the ability to explain in depth your assessment of a vulnerability to an application developer so they are able to understand the issue and successfully remediate the finding. The end result must be to resolve the security issue successfully.
· Experience in pen-testing, not required, but is considered a plus.
· Professional Certifications preferred (i.e. JPMC ASC or CSSLP, GSSP, CISA, CISSP)
· The candidate must be a “self starter”, able to operate independently within minim guidance, and produce tangible, measurable results.