The Application Security Engineer plays a critical role in ensuring the security and integrity of the Bank's applications and systems. This role is responsible for validating that applications and systems are designed and implemented according to the Bank's Policies, Standards, and Guidelines. This role also assesses the security of the underlying components of the application or system such as middle-tier systems and databases. Additionally, this role implements and governs repeatable secure development practices to reduce secure coding errors, design flaws, and other vulnerabilities. As issues are uncovered, the application security engineer communicates with the appropriate technical and business teams to ensure proper risk identification, mitigation, and/or acceptance.

Principal Duties & Responsibilities:

• The primary duty of the Application Security Engineer involves performing work directly related to the general business operations of the bank.
• The Application Security Engineer regularly exercises discretion and independent judgment in matters of significance, such as:
• Lead the automation, development, and execution of DevSecOps best practices, integrating security throughout the software development lifecycle (SDLC).
• Support the application vulnerability management lifecycle by implementing and managing static and dynamic application security testing tools.
• Validate that applications and systems are designed and implemented with the Banks security standards by conducting security assessments and audits.
• Analyze the security of applications and their underlying services, including dependencies such as middle-tier systems and databases, to identify vulnerabilities and weaknesses.
• Implement repeatable secure development practices to minimize the introduction of design flaws and vulnerabilities into applications.
• Collaborate with cross-functional teams to prioritize and mitigate security risks, ensuring business continuity without neglecting security.
• Provide guidance and recommendations to development teams on security best practices.
• Stay informed about the latest security threats and recommending security enhancements.
• Performs other duties as assigned.

• 2-4 years of experience implementing security controls in software development processes.

• 2-4 years of experience in application security engineering, with a focus on DevSecOps practices.

• Proficiency in software development languages such as Java, Python, C , etc., to understand application architecture and identify security vulnerabilities.

• Familiarity with dynamic and static analysis tools for code review and vulnerability assessment.

• Expertise in DevOps practices and methodologies, with the ability to integrate security seamlessly into CI/CD pipelines.

• Knowledge of cloud platforms, particularly Microsoft Azure, and their security features and configurations.

• Strong analytical and problem-solving skills to identify and remediate security vulnerabilities effectively.

• Excellent communication and collaboration skills to work effectively with cross-functional teams and third-party vendors.

Relevant Certifications:

• Certified Ethical Hacker (CEH)
• GIAC Web Application Penetration Tester (GWAPT)
• Offensive Security Certified Professional (OSCP)

• Bachelor's Degree in Computer Science, Cybersecurity, Information Technology, or related field preferred.

• Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities.
• Please view Equal Employment Opportunity Posters provided by OFCCP here.
• The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)
• Reasonable accommodation may be made to assist individuals with disabilities to complete the online application process. Please contact our Human Resources Department at 305-577-7680 or by e-mail at employment@citynational.com.
• #LI-NB1