[ale] [OT: job]Software Security Engineer

[Philip Polstra]

Here is a bit more detail on the job I posted a couple days ago.  E-mail me
off list if interested.

*Job Description*



Job Title:          Software Security Engineer

Department:      Enterprise Engineering

Reports to: Manager, Enterprise Security


1.    Key responsibilities



Job summary ? (Role Summary)

To develop, monitor and enforce procedures and standards to assure that
systems operated and software developed and operated by the company
functions as designed and only as designed


Essential Duties and Responsibilities ? (Key Activities)

?        Interact with global business process owners, application and data
owners and developers to integrate security standards into business
processes and software

?        Develop document and publish secure coding standards and practices.

?        Integrate security best practices into the company's software
development life cycles (SDLC).

?        Participate in the company's SDLCs to insure standards and
procedures are followed or exceptions documented.

?        Balance security and business needs in all projects and work.

?        Conduct risk assessments of applications and databases in
accordance with the IT Security Risk Assessment process.

?        Cooperate with suppliers, third parties, regions and business units
to develop mutually secure software.

?        Conduct technology watch on threats to company enterprise
applications. Identify threats that exceed or may exceed the ability of
company technical controls to protect applications and data enterprise wide.

?        Evaluate vendors for new and existing solutions to software issues
identified in the IT Security Strategy and Roadmap. This includes testing
evaluation recommendation and selection of products

?        Develop software architecture and standards for enterprise
applications.

?        Define and manage department software projects in coordination with
division project management team

?        Conduct business analysis to assist business units in integrating
security into their application development

?        Assist business units and project managers in conducting risk
assessments throughout the life cycle of enterprise applications..

?        Recommend software security standards, policy, procedures to the
ESM manager and IT Security Council

?        Perform continuing internal monitoring/audit of software security
controls and coordinate with the corporate audit committee

?        Oversee company wide source code and application scanning process

?        Perform or assist in IT security investigations as assigned by the
ESM manager.


2.    Required Qualifications



*Education -*

Bachelors or Master's Degree in Computer Science or a relevant field of work
or an equivalent combination of education, security certifications (e.g.
CISSP, UNIX and Development Certifications ) and work experience.



*Experience -*

?        4-5 years progressive work experience in software development.



 *Skills and Knowledge -*

1.      Must possess or obtain CISSP certification

2.      Desire to learn as much as possible about the emerging field of
software security

3.      Demonstrated experience and solid understanding of B2B gateways
technology such as Jboss, Plumtree and BEALogic.

4.      Experience with LDAP and Active Directory

5.      Experience with at least two of the following languages: Java, C++,
C, PHP

6.      Desire and ability to teach others about software security




3.  Desired Qualifications & Experience

1.      Familiarity with  VISA Payment Card Industry standards for Web
applications

2.      Familiarity with Sarbanes-Oxley regulations

3.      Experience with company commercial applications (e.g. BEALogic)

4.      Experience with software scanning tools such as Coverity's source
code analysis products

5.      QA test engineer experience, use of verification matrix,

6.      Use of vulnerability scanning tools such as Nessus

7.      Use of automated software tools such as Rational programs

8.      Use of application scanners such as Watchfire's AppScan

9.      Use of source code scanning tools such as Fortify Software's
products
4.    ACCOUNTABILITY



*Number of employees supervised*: Direct  *0*  Indirect  *0*



*Annual operating and/or payroll budget(s): **none*



*Decision making responsibilities (Key Decision Rights)*:

?        This position has a critical impact to the protection of Company
informational assets.

?        This position has a moderate impact on project costs, schedule and
quality levels of IT development projects.

?        Decisions or recommendations, or failure to complete projects could
result in delays with considerable expenditure of time, human resources or
funds.


5.    CONTACTS (Key Relationships)



*Internal Key Relationships *?

This position will work closely with client management, IT development
teams, support teams, data center resources, IT management to discuss
projects, provide recommendations on improvement opportunities and operating
and financial performance.  Provide technical direction and training to more
junior level network engineers.



*External Key Relationships *?

Frequent interaction with software/hardware security vendors to consult on
new products and discuss/resolve technical problems. Develops relationships
with professional organizations, user groups, and security staff at other
companies to keep abreast of new trends in corporate and departmental
information security.


6.    PHYSICAL REQUIREMENTS



*Work Environment ? *

Work is performed in a normal office environment.
-------------- next part --------------
An HTML attachment was scrubbed...