The Application Security Manager is responsible for advising IT and business stakeholders on application security and controls, provide leadership and guidance for secure code development.
The ideal candidate for this position is a proven Application Security/Risk management expert with deep understanding of methods and techniques to drive successful outcomes, and must have hands-on experience in:
- Scaling security within the SDLC by automation using tools sets such as source code analyzers, vulnerability scanners, configuration validation, and similar techniques.
- Defining application security measures and controls that support risk assessments and development of secure application platform.
- Designing, testing and implementing advanced enterprise level application security standards, techniques and tools.
- Identifying and protecting against web application and web service security vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25 dangerous programming errors.
The key responsibilities of the role are as follows:
- Performs security testing and code review to improve software security.
- Performs focused risks assessments of existing or new application, services and technologies to ensure the protection of the organization’s information assets and our customer information.
- Provides expert advice and consultancy to internal customers on risk assessment, threat modeling and fixing vulnerabilities.
- Works closely with application development teams to provide security expertise on system, encryption, authentication, security specific code, and governance.
- Domain competencies in a number of IT-risk-related disciplines, including IT risk management, Cybersecurity, IT audit, business continuity management, privacy and compliance.
- Manages implementation of application security and risk management framework/tools.
- Communicates risk assessment findings to stakeholders.
- Provides consultative advice to information and application security customers that enables them to make informed risk management decisions.
- Identifies and implements appropriate controls to effectively manage application risks as needed.
- Ensures compliance with industry, regulatory and L’Oreal Group defined policies and standards.
- Identifies opportunities to improve risk posture, developing solutions for remediating or mitigating application risks and assessing the residual risks.
- Maintains strong working relationships with individuals and groups involved in managing application risks across the organization.
- Partner with multiple teams across multiple locations with varying sets of priorities to ensure a timely delivery of the secure application solution.
- Clarify and drive project commitments as well as establish and maintain clear chains of accountability.
Candidate Evaluation Criteria
Candidates will be evaluated based on their ability to demonstrate a proven track record of proficiency at the following competencies:
- A commitment to the crucial concept of promoting security as an enabler and not an inhibitor of business.
- Building enterprise application management, governance and compliance programs.
- Strong organization, prioritization, rationalization and analytics skills
- An ability to cultivate and build collaborative working relationships with a broad range of enterprise stakeholders.
- A well-developed understanding of and appreciation for business needs and a commitment to leading the information risk management team in delivering high-quality, prompt, and efficient service to the business.
- A well-developed understanding of and appreciation for organizational mission, values, and goals and consistent application of this knowledge.
- Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one.
- An ability to effectively influence others to modify their opinions, plans, or behaviors.
- An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily-understood, authoritative, structured and actionable manner.
- Understanding of application security fundamentals and general security technologies.
Typical Education and Experience
- BS or higher degree in Computer science, Information Security, or equivalent experience
- 5+ years of professional experience in IT security, compliance and risk management, including privacy, data protection, security controls, etc.
- Knowledge of software and network architecture and standards: MVC
- Experience with either Agile or Waterfall SDLC methodologies
- Experience in developing an SDL
- Experience training technical teams on security related topics: SDL, anti-patterns, vulnerability prevention
- 5+ experience working with national and international regulatory compliance frameworks such as ISO27000, COBIT, NIST, HIPAA, and PCI DSS