Browser security lead
Bank of America – Addison, TX
The browser security lead is an expert in design patterns, standards, theory, and implementation of past, present and future web browser technology at Bank of America.
The lead is a champion who ensures the viability of meeting enterprise cyber-security objectives using web technology, and possesses an intimate level of knowledge of browser architecture and internals, particularly as expressed against contemporary web applications and web-enabled frameworks (e.g., WebRTC, PWAs, REST APIs and websockets frameworks). The lead uses deep technology skills to understand technology risks associated to browsers and client-side web application contexts, and assists software architects, control owners, and technology strategy teams in identifying and navigating architecturally significant technology and risk landscapes. The lead partners with technology leaders from other enterprise technology functions in designing and fulfilling the enterprise browser strategy.
Primary ResponsibilitiesResearch, understand, and interpret browser security requirements into practical control objectives and controlsEvaluates the fulfillment / achievement of browser security objectives across enterprise and third-party web applicationsActive participant in browser standards and innovation processes, understands browser technology roadmap and anticipates and articulates architectural ramifications of changes to browser technologyIdentify enterprise risks, including risks of known unknowns and unknown unknowns, related to browser technologySubject matter expertise in application security of one or more major enterprise web application platforms used by Bank of America, incl. but not limited to Java / J2EE, .Net, Mobile (iOS and / or Android), Big Data, Python, MainframeApply and interpret application security objectives in context of designated platformsIdentify, champion, and supervise the implementation of defensive controls, methods and processes within Bank applicationsContribute to an enterprise library of application security components and systems through vendor selection, evaluation, and original contributionsPro-actively engage stakeholders, including development managers, developers, architects, and governance bodies in the Bank to achieve security objectivesDeliver multiple technology projects across multiple teamsRegularly interact with senior technology and business management, requiring the ability to explain complex technical matters in a way both technical and non-technical personnel can understandManage business partner relationships to deliver a seamless and responsive workflowCollaboratively develop technical architectures, processes and procedures pursuant to application security objectives together with business and technical partnersDeliver training and collaborate with internal and approved external knowledge-sharing bodiesDevelop processes and procedures to advance application security objectives, suitable for adoption throughout the BankContribute to and interpret enterprise policies, standards, and baselines and mentor personnel with less experience or knowledge of the same
Required SkillsExpert knowledge of one or more browser implementations, preferably among Chrome (or Chromium-family), Safari, FirefoxKnowledge of relevant standards and standards activity, including IETF (e.g., HTTP, TLS, and networking), W3 (e.g., WebSockets, PWAs/Service Workers) as well as platform-specific standardsExposure to application security testing techniquesAble to read and write software in at least one programming languages such as C, C++, .Net, Java, PythonComprehensive understanding of at least one application security life cycle, up to and including operations, maintenance and decommissioningKnowledge of at least three application security testing methodologies and approaches, including formal methods, system level security, SAST / DAST, threat modeling, ethical hacking and crowd-sourcingKnowledge of cryptographic algorithms, architecturesExperience with business planning, governance and management of application development or application security functions at a systemically important financial institutionAbility to write policies, standards and baselines around application security and associated topics
Required Experience Level:5-10 years of progressive experience in application security and / or software development, at least 2 years of experience with client-side web programmingBachelors degree or higher in CS, IT, a related technical or engineering fieldExperience working in the financial sectorCISSP or similar professional certification, or commensurate experience
Desired Skills:Technical writing skillsPublic speaking skillsCyber security experience at a systemically important financial institutionExperience working at a bank, credit union, money services business, or similarExperience with online collaboration tools and technologies such as Sharepoint, Slack, HipChat, video conferencingExperience with source control, agile development, bug tracking, build automation, and change control platformsUnderstanding of contemporary networking technologies, e.g., TCP/IP, routing, subnetworking, firewalls, VPN and DMZKnowledge of one or more contemporary endpoint architectures, including Mac, Windows (workstation and/or server), Linux, iOS, Android, mainframeExperience with dynamic application security defensive technology, such as WAF, RASP, and compiler security mechanisms and language-theoretic securityKnowledge of NIST 800 series, FIPS standards, ISO 27000 series, CSA and related standards
1st shift (United States of America)
Hours Per Week: