Fonction professionnelle: Tech

Type de poste: Contrat A Duree Indeterminee

Type de contrat: Temps plein

Site: New York, NY

Pays: USA

Job Title Director, Application Security

Division: L’Oreal IT

Location:  Hudson Yards, New York 

Reports To: AVP, Cybersecurity

 

Who We Are: 

 

For more than a century, L’Oréal has devoted its energy, innovation, and scientific excellence solely to one business: Beauty. Our goal is to offer every person around the world the best of beauty in terms of quality, efficacy, safety, sincerity, and responsibility to satisfy all beauty needs and desires in their infinite diversity.

 

At L'Oréal, our IT teams design and build solutions to ensure high performance for all our business sectors by imagining new ways of doing things, from designing websites to building algorithms and predicting new trends. They can be found leading teams towards a more connected and digitalized future in IT retail, e-commerce, CRM, data, AI, cybersecurity, Cloud and E-Marketing. You never stop learning at L'Oréal IT because things change at the speed of light! Come join our dynamic team!

 

What You Will Do:

 

The Director Application Security is responsible for overseeing Application Security functions and advising IT/business stakeholders on application security and controls for the Applications, Existing and Emerging Technology, provide leadership and guidance for secure code development. The ideal candidate for this position is a proven Application Security expert with deep understanding of methods and techniques to drive successful outcomes, and must have hands-on experience in:

  • Scaling security within the SDLC by automation using tools sets such as source code analyzers, vulnerability scanners, configuration validation, and similar techniques.
  • Defining application security measures and controls that support the secure development of application platform.
  • Designing, testing, and implementing advanced enterprise level application security standards, techniques and tools.
  • Identifying and protecting against web application and web service security vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25 dangerous programming errors, conduct testing, and provide solutions for secure application development. 

The ideal candidate for this position can prove competency in secure application development strategies or application penetration testing with a deep understanding of methods and techniques to break and fix applications, and must have hands-on experience in at least two of these areas:

  • Scaling security within the SDLC by automation using tools sets such as source code analyzers, vulnerability scanners, configuration validation, and similar techniques.
  • Performing security testing and providing remediation guidance for application vulnerabilities.
  • Developing application security measures and controls that support risk assessments and the development of secure application platform.
  • Developing, testing and implementing advanced enterprise level application security standards, techniques and tools.
  • Using application vulnerability assessment tools for static and dynamic code analysis.
  • Conducting application security assessments and tests on web applications, cloud platforms, web services, and mobile applications
  • Identifying and protecting against web application and web service security vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25 errors.
  • Network and Application Penetration Testing.
  • Utility development and scripting experience is a major plus.

Role Responsibilities

  • Develops and implements IT Secure Application Development Life Cycle Policy.
  • Performs penetration testing, vulnerability scan and code review of existing and new applications to improve software security.
  • Performs routine audits of existing applications to identify security gaps and proposes mitigating controls.
  • Provides expert advice and consultancy on application security, threat modeling and fixing vulnerabilities.
  • Works closely with application development teams to provide security expertise on system, encryption, authentication, security specific code, and governance.
  • Domain competencies in a number of IT-risk-related disciplines, including, Secure Applications Development, Cybersecurity, Applications Security Review and Applications Security Audit.
  • Manages implementation of Application Security policy and framework/tools.
  • Communicates application security issues/findings to stakeholders.
  • Provides consultative advice to information and application security customers that enables them to make informed risk management decisions.
  • Identifies and implements appropriate controls to effectively manage application risks as needed.
  • Ensures compliance with industry, regulatory and L’Oreal Group defined policies and standards.
  • Identifies opportunities to improve risk posture, developing solutions for remediating or mitigating application risks and assessing the residual risks.
  • Maintains strong working relationships with individuals and groups involved in managing application risks across the organization.
  • Partner with multiple teams across multiple locations with varying sets of priorities to ensure a timely delivery of the secure application solution.
  • Clarify and drive project commitments as well as establish and maintain clear chains of accountability


What We Are Looking For:


  • Strong organization, prioritization, rationalization, and analytical skills 
  • Strong communications skills and ability to interact/present application security projects and process improvements to IT Leadership
  • Strong project management and project facilitation skills
  • A commitment to the concept of promoting security as an enabler to the business. 
  • Building enterprise application management, governance, and compliance programs. 
  • An ability to cultivate and build collaborative working relationships with a broad range of stakeholders. 
  • A well-developed understanding of and appreciation for organizational mission, values, and goals and consistent application of this knowledge.
  • An ability to communicate complex and technical issues to diverse audiences.
  • Deep knowledge of advanced enterprise level application security standards, techniques and tools.
  • A well-developed understanding of and appreciation for business needs and organization goals, with a commitment to leading the application security team in delivering high-quality, prompt, and efficient service to the business.   
  • Strong decision-making capabilities, with a proven ability to weigh costs & benefits.   
  • An ability to effectively influence others to modify their opinions, plans, or behaviors.   
  • An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily to understand, authoritative, structured and actionable manner.
  • Understanding of application security fundamentals and general security technologies.

Typical Education and Technical Experience 

  • BS or higher degree in Computer science, Information Security, or equivalent experience 
  • 10+ years of professional experience in Application Security, IT security, compliance and risk management, including privacy, data protection, security controls, etc.
  • 7+ years of hands-on development experience on the technologies and standards, such as: HTML, C++, C#, JavaScript, JQuery, Python, PHP, SQL, JSON, XML
  • Experience in building scalable application security organizations and successfully managing application security professionals.
  • Understanding of SSL/TLS, REST, SAML, OAuth, 
  • Knowledge of the following application technologies and standards (not limited to but including): HTML, CSS, JavaScript, SQL, JSON, Python, XML, SSL/TLS, REST, SAML, OAuth, C#, PHP
  • Knowledge of software and network architecture and standards: MVC · Experience with either Agile or Waterfall SDLC methodologies · Experience in developing an SDL, training technical teams on security related topics: SDL, anti-patterns, vulnerability prevention 
  • Experience using DevOps tools such as Jira/Confluence, Jenkins, and cloud-based code sharing platforms (i.e., GitHub, BitBucket, Sourceforge, etc.)
  • Working knowledge of eCommerce platforms such as SalesForce Commerce Cloud a plus.
  • Understanding of Database Systems including MS SQL, MySQL, Oracle, etc.
  • Experience with Agile/SCRUM and Classical (Waterfall) software development models, and thorough knowledge/understanding of enterprise SDLC process.
  • Knowledge of web related technologies (web applications, web services, and service-oriented architectures) and of network/web related protocols.

What’s In It For You:


  • Salary range: $172,000-$179,000 (The actual compensation will depend on a variety of job related factors which may include geographic location, work experience, education, and skill level).
  • (Medical, Dental, Vision, 401K, Pension Plan)
  • (Paid Company Holidays, Paid Vacation, Vacation Buy Program, Volunteer Time, Summer Fridays & More!)
  • VIP Access to L’Oréal’s Internal Shop for Discounted Products, Monthly Mobile Allowance)
  • (Unlimited Access to E-learnings, Lunch & Learn Sessions, Mentorship Programs, & More!)
  • (Think Tanks and Innovation Squads)
  • Access to Mental Health & Wellness Programs

Do not meet every single requirement? At L'Oréal, we are dedicated to building a diverse, inclusive, and innovative workplace. If you are excited about this role but your past experience does not align perfectly with the qualifications listed in the job description, we encourage you to apply anyways! You may just be the right candidate for this or other roles!

We are an Equal Opportunity Employer and take pride in a diverse environment. We would love to find out more about you as a candidate and do not discriminate in recruitment, hiring, training, promotion, or other employment practices for reasons of race, color, religion, gender, sexual orientation, national origin, age, marital or veteran status, medical condition or disability, or any other legally protected status.

If you are a qualified individual with a disability or a disabled veteran, you may request a reasonable accommodation if you are unable or limited in your ability to access job openings or apply for a job on this site as a result of your disability. You can request reasonable accommodations by contacting [email protected]. If you need assistance to accommodate a disability, you may request an accommodation at any time. 

Our Safe Together Plan: Your safety is our highest priority. We will proceed with caution and adhere to enhanced protection standards to ensure our sites are safe for all employees. We must all operate with the shared responsibility for each other’s health & safety in mind.

 

#}