S&P Global

Application Security Lead

The Role: A successful candidate for this position will have:

• Excellent communication skills, with an emphasis on the ability to communicate security topics, policies, and standards with non-technical people
• Understanding of how applications, cloud networking, operating systems, and databases work
• Good understanding of information security standards like NIST - Cybersecurity framework, ISO 27001, and risk management methodologies
• Excellence at stakeholder engagement and build strong partnerships across the technology and business teams
• Sound knowledge of common infrastructure and web application vulnerability categorizations such as CVE, CVSS, CWE
• Experience with performing complex network vulnerability scans in both on-prem and cloud environments using common vulnerability assessment tools
• Experience in analyzing, identifying, and developing remediation plans for vulnerabilities until full closure
• In-depth understanding of application & web-based attacks and remediation
• Experience in configuring different types of scans using the Qualys tool or related experience in DAST/SAST tools
• Excellent interpersonal skills and ability to analyze issues while balancing the business need with the required level of security posture
• Use an analytical approach to build and troubleshoot automation pipelines driving significant risk reduction and surfacing risk posture across the organization
• The willingness to participate in different rotational shift schedules as required

Education

Bachelor’s Degree in Computer Science, Information Systems, or equivalent workrelated experience.

Experience

• 5-7 years in a professional environment preferably as part of an operational security function (Vulnerability Detection/management/Review, application testing, technical project management)
• Minimum of 3 years Exp on using any large-scale information security scanning tools/Vulnerability Detection.
• Risk Management: An analytical approach to risk management, including assessing and surfacing risk posture across the organization, is important for maintaining a strong security posture. 
• Vulnerability Knowledge: A solid grasp of common vulnerability categorizations such as CVE, CVSS, and CWE is necessary for accurately assessing and prioritizing vulnerabilities.
• Good to have experience with information security scanning tools, such as Fortify Source Code Analyzer, White source, SonarQube, as well as experience with CI/CD tools like Jenkins, Ansible, and Azure DevOps.

Requirements:

Responsibilities will include, but are not limited to, the following:

• Engage with Application Technical Leads and IT managers to Deploy security tools and enforcing Scans across the Infra, Source Code, Web UI and 3rd party software/libraries.
• Provide recommendations and technical guidance for the lifecycle of open-source software libraries
• Track and monitor key milestones or after significant change in the environment to identify network, infrastructure, and configuration vulnerabilities
• Use automation, orchestration, and scripting to reduce manual processes, improving overall efficiency to meet our rapidly changing needs
• Perform ad-hoc data remediations, clean-ups, and reporting using large complex datasets for rapid security responses
• Develop reports using data that is hosted in multiple sources/tools (e.g., spreadsheets, databases) and communicate clearly to leadership and other cyber security teams
• Curation and assessment of vulnerability data extracts to analyze and resolve false positives
• Support new project, programs or initiatives with vulnerabilities scanning of new or existing assets as required
• Review and risk assess the criticality and priority of all vulnerability scans along with existing toolset for prioritization

Desired *Qualifications*

• Prior experience in a large and complex organization, operating across numerous locations and with a high degree of change.
• Experience reproducing proof of concept exploitation steps.
• Experience judging the priority of a vulnerability based on risk and impact.
• Experience securing applications and infrastructure in Amazon Web Services and similar IaaS / PaaS platforms.
• Deep application security knowledge, with the ability to map an application vulnerability to exploitation indications and relevant investigative techniques.
• Relevant incident response or information security certifications, such as CEH, Security+, GSEC, GCIH, etc
• 
  

Equal Opportunity Employer

S&P Global is an equal opportunity employer and all qualified candidates will receive consideration for employment without regard to race/ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, marital status, military veteran status, unemployment status, or any other status protected by law. Only electronic job submissions will be considered for employment. 

If you need an accommodation during the application process due to a disability, please send an email to: EEO.Compliance@spglobal.com and your request will be forwarded to the appropriate person.  

US Candidates Only: The EEO is the Law Poster http://www.dol.gov/ofccp/regs/compliance/posters/pdf/eeopost.pdf describes discrimination protections under federal law. 

20 - Professional (EEO-2 Job Categories-United States of America), IFTECH202.2 - Middle Professional Tier II (EEO Job Group)