Sr Application Penetration Tester jobs in United States
cer-icon
Apply on Employer Site
company-logo

KeyBank · 1 month ago

Sr Application Penetration Tester

positionUnited States
timeFull-time
remoteRemote
senioritySenior Level, Lead/Staff
money$94K/yr - $175K/yr
date8+ years exp

KeyBank is a financial services company seeking a Senior Application Penetration Tester to lead application security efforts within their Cyber Application and Cloud Defense team. The role involves conducting security testing, coordinating application security policies, and promoting information security awareness across the organization.

Banking

Responsibilities

Conducts comprehensive application security testing
Participates in application threat modeling and tabletop exercises
Coordinates the development, implementation, and administration of application security policies and standards
Coordinates and oversees the work of junior team members in application security
Development and other operational tasks to maintain the Application Security testing and DevSecOps program within the Cyber Application and Cloud Defense team
Coordinates remediation prioritization and triage efforts for the application security program
Coordinates the development, implementation, and promotion of effective information security awareness within the organization with the goal of making all employees, contractors, alliances, and other third parties security aware
Monitors compliance with the organization's information security policies and standards among employees, contractors, alliances, and other third parties, facilitating remediation by referring problems to appropriate department managers for resolution
Promotes the availability, integrity, and confidentiality of company data, regardless of medium
Provides direction, guidance, and opinions regarding information security awareness, communication, policies, and standards
Assists with the development of information security training to all employees, contractors, alliances, and other third parties, as required. Ensures sponsored training conforms to existing policies and standards
Directs the timely dissemination of information security information
Serves as an internal information security consultant and liaison to all areas of the organization as a daily activity
Communicate the practical implications of information security decisions, issues, and plans to the organization
Monitors advancements in information security methodologies and technologies
Monitors changes in legislation standards that may affect information security
Participates in enterprise-wide information security architecture discussions, as required
Selects and or works with external vendors, outside consultants, and other third parties to improve information security, as required
Attends conferences and training as required to maintain proficiency

Qualification

Application Security TestingJavaNode.NET FrameworksThreat ModelingSnykFortifyCheckmarxVeracodeBurp SuiteWebinspectPrisma CloudCI/CD PipelinesGitLab Security ScannersShell ScriptingPython ScriptingPowerShell ScriptingCloud SecuritySaaS SecurityAI SecurityGWAPT CertificationOSWE CertificationBSCP CertificationCISSP CertificationGoogle Cloud Security EngineerAnalytical SkillsProblem-Solving SkillsCommunication SkillsTeamwork

Required

Bachelor's degree preferred; equivalent experience of 8 or more years of combined experience within information technology or information security is acceptable
Qualified candidate will include 8+ years of broadly based progressive experience in information systems or information security environments or software engineering
Qualified candidate must have experience or be well-versed in development technologies such as Java, Node, or .NET frameworks and have a thorough understanding of web application design and frameworks
Qualified candidate must be able to perform comprehensive static, dynamic, and manual application testing following industry-standard testing methodologies and has experience with one or more application review tools such as Snyk, Fortify, Checkmarx, Veracode, Burp Suite, Webinspect, Prisma Cloud, Prisma Compute, Cortex Cloud, CI/CD pipelines, or GitLab security scanners
Ability to be a technical lead for an enterprise-wide information security program and processes related to comprehensive application security testing, secure application design, application threat modeling, cloud security, SaaS security, and AI security
A strong drive to follow new and emerging technologies and application design patterns, assess potential risks, and proactively drive adoption and implementation of appropriate controls by development and infrastructure teams
Must be able to use command line tools on Mac workstations
Ability to write shell scripts, python scripts, PowerShell scripts, CI/CD pipeline tasks and implement automation workflows using APIs
Ability to build and sustain collaborative relationships with multiple constituencies
Ability to translate information security terminology into terms understandable to diverse groups
Excellent written and oral communication skills
Excellent analytical and problem-solving skills
Excellent facilitation and negotiation skills
Ability to work independently
Ability to multi-task and manage competing priorities
Detail oriented
Commitment to teamwork
Ability to drive Continuous Improvement efforts

Preferred

Background in application security, application design patterns, DevSecOps practices, cloud security, DevSecOps practices, SaaS security, and AI security
Strong technical knowledge of application development practices and ability to work closely with development and infrastructure teams
Ability to threat model applications and emerging technologies
Knowledge of existing AI design patterns, risks, and controls
Knowledge of AI-related attacks and ability to pen test applications using AI technology
Able to guide application and infrastructure teams on application security remediation
Able to manage development projects with work intake, sprints, and planned releases
Background in information security and or organizational communication within the financial services industry
Understanding of federal and industry regulations associated with information security, such as Sarbanes-Oxley, HIPAA, GLBA, etc
Understanding of application security and cloud security frameworks and standards, such as NIST, CIS, CSA, OWASP, etc
Knowledge of systems architecture such as network and distributed systems, and or mainframe systems
Knowledge of security services such as firewalls, IDS, vulnerability assessment, and authentication
Professional certification (GWAPT, OSWE, BSCP, CISSP, or Google Professional Cloud Security Engineer) is desirable

Benefits

Eligibility for incentive compensation subject to individual and company performance

Company

KeyBank

twitter
Glassdoor3.7
company-logo
At KeyBank we’ve made a promise to our clients that they will always have a champion in us.
dateFounded in 1849
location
Cleveland , Ohio, US
people-size10001+ employees
web-link
https://www.key.com

Funding

Current Stage
Late Stage

Leadership Team

leader-logo
Chris Gorman
Chairman, Chief Executive Officer, and President, KeyCorp
linkedin
leader-logo
Holly Santoro
Executive Administrator to the Chairman & CEO
linkedin

Recent News

Morningstar
MYR Group Inc. to Attend KeyBanc Capital Markets Investor Conference in September
2023-08-28
Company data provided by crunchbase