Founded in 1908, CIT (NYSE: CIT) is a financial holding company with approximately $50 billion in assets as of Dec. 31, 2017. Its principal bank subsidiary, CIT Bank, N.A., (Member FDIC, Equal Housing Lender) has approximately $30 billion of deposits and more than $40 billion of assets. CIT provides financing, leasing, and advisory services principally to middle-market companies and small businesses across a wide variety of industries. It also offers products and services to consumers through its Internet bank franchise and a network of retail branches in Southern California, operating as OneWest Bank, a division of CIT Bank, N.A. For more information, visit cit.com.
The Application Security Engineer is a hands-on, first line role responsible for evaluating and enforcing security across the Secure Software Development Life Cycle (SDLC). The Application Security Engineer will conduct code reviews and assess/remediate issues stemming from application security scans using various tools. The position will work closely with IT Development implementing, executing and improving the security of CiT developed applications that could lead to negative operational, reputational, and/or financial impact. The ideal candidate will have solid experience operating a risk-based penetration testing program, conducting both manual and automated penetration tests to improve application security and effecitvely communicating flaws to management as part of risk metrics reporting.
* Conduct ongoing code reviews and application security scans, identify and interpret flaws, consult and advise development teams on remediation and track issues to resolution in accordance with service level agreements (SLA).
* Proactively manage security flaws and engage IT Development to ensure issues are resolved in line with SLAs.
* Maintain monthly management reporting supporting this effort.
* Perform dynamic/static testing using various tools, provide recommendations and guidance on mitigations and validate issue remediation. Maintain detailed evidence documentation throughout process.
* Review application security and approve application changes as part of formal Change Management process.
* Collaborate with colleagues from Security Architecture & Assurance, Security Operations and IT Development in the testing and remediation process, including resolution of issues stemming from risk assessments and third party penetration testing.
* Participate in the development of security standards, provide recommendations for improving application security program based on subject matter expertise and industry best practices.
* Maintain application security program standard operating procedures in line with applicable CiT Security standards.
* Contribute to regulatory, risk assessment and internal audit examinations where required.
* 5+ years experience in application security function working with developers throughout Secure Software Development Life Cycle.
* Ability to identify security vulnerabilities from source code reviews/testing and provide security guidance to development teams.
* Strong knowledge of Open Web Application Security Project (OWASP).
* Strong knowledge of common application security vulnerabilities (e.g., XSS, CSRF, SQL injection, input/output validation, etc.) and how to engineer software to avoid them.
* Expertise in application security testing, static and dynamic analysis.
* Prior Experience in programming in one or more server-side technologies ideal e.g., ASP.NET.
* Experience with manual penetration testing and incorporating with automated methods/tools.
* Familiarity with web application firewalls.
* Critical thinker with demonstrated problem solving skills.
* Demonstrated ability to prioritize and successfully manage competing work assignments in a time sensitive environment.
* A high degree of initiative required with the ability to work independently or as part of a team.
* High level of personal integrity, and the ability to professionally handle confidential matters and project the appropriate level of urgency, judgment and maturity.
Key terms: Application security engineering, OWASP, static/dynamic analysis, penetration testing and tools, defensive programming, application security training, malware techniques and defenses.
CIT provides banking and related services to commercial and individual customers.