Senior Application Security Analyst

The position is a cross-functional role that will be responsible for various Application Security program initiatives.  The successful candidate must be an individual who understands modern software development trends, understands engineering-led software security practices, and keeps up with the ever evolving cyber security threat landscape. The successful candidate will liaise with internal groups and our regional partners to ensure that program deliverables are met.

Success in the role requires an innovative mind, a proven track record of delivering solutions that meet security needs, integrate application security into our DevOps pipeline, automate security as code and enable successful detection and response to any and all threats in our environment. The individual will work closely with SSDLC program to contribute to defining application security testing standards and policies.  Responsibilities include defining testing services and methodologies (be they tool-based and/or manual) in the early SSDLC lifecycle.  The primary focus will address testing needs within development organizations striving for continuous deployment and using automated security tooling including SAST, DAST and SCA. Within his/her leadership role, this individual is expected to mentor team members, set direction and lead execution of services as a hand-on participant.

Key Responsibilities:

• The candidate will be responsible for the aspects of the Application Security Program initiatives including but not limited to the following:
• Establish/manage multiple security programs that support the security testing requirements at the bank
• Forging and maintaining strong working relationships with development functions/teams, product delivery teams, project management, third party management, enterprise architecture, audit teams, etc.
• Participate in security and technology strategic planning to ensure identified risk governance is incorporated into the CISO enterprise strategy.
• In partnership with business sectors,  run delegate action groups to provide recommendations to strengthen  development processes and security testing
• Appropriately assess risk and provide software security advice when business decisions are made
• Interface with Application Security Program Team  to oversee Program Projects and Initiatives and make strategic recommendations to senior manager on standards and policy changes

Qualifications

• Experience in key activities within software security group such Threat Modeling / Application Risk Assessment, Vulnerability Assessments, Training, etc.
• Pre-requisites for this position are a Bachelor's Degree with 4 - 6 years' experience in application development or application secure code review

• Experience must include experience as a technical lead or manager
• Knowledge of cloud computing concepts and DevOps tools (OpenShift, Kubernetes, Docker, Chef, etc)
• Experience using or testing cloud platforms (AWS, Google, Azure, etc)  and security in/of the cloud is a plus
• Understanding of security, web-based and infrastructure vulnerabilities is required 
• Experience in source code management, build and deployment technologies such as RLM, Ueploy, Jenkins, Artifactory, Maven, GitHub, etc
• Experience conducting vulnerability assessments and articulating security issues to technical and non-technical audience.
• Understanding of Checkmarx, AppScan Source, Fortify, Veracode, SonarQube, Snyk, Sonatype or Black Duck platform is a plus.
• Knowledge of tools and processes used to expose common vulnerabilities and implement countermeasures is expected.
• Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.
• Demonstrated knowledge of recognized security industry standards and leading practices (e.g., FFIEC, NIST, C2M2, ISO)
• Relevant professional certifications: GIAC, CISA, CISM, CRISC, CISSP or equivalent is desired

Education:

• Bachelor’s degree/University degree or equivalent experience
• Master’s degree a plus

------------------------------------------------------

Job Family Group:

------------------------------------------------------

Job Family:

------------------------------------------------------

Time Type:

------------------------------------------------------

Primary Location:

------------------------------------------------------

Primary Location Full Time Salary Range:

In addition to salary, Citi’s offerings may also include, for eligible employees, discretionary and formulaic incentive and retention awards. Citi offers competitive employee benefits, including: medical, dental & vision coverage; 401(k); life, accident, and disability insurance; and wellness programs. Citi also offers paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays. For additional information regarding Citi employee benefits, please visit citibenefits.com. Available offerings may vary by jurisdiction, job level, and date of hire.

------------------------------------------------------

Anticipated Posting Close Date:

------------------------------------------------------

Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View the "EEO is the Law" poster. View the EEO is the Law Supplement.

View the EEO Policy Statement.

View the Pay Transparency Posting