Lead, Browser Security
Addison, TX

Job Description

Job Description:

The browser security lead is an expert in design patterns, standards, theory, and implementation of past, present and future web browser technology at Bank of America.

The lead is a champion who ensures the viability of meeting enterprise cyber-security objectives using web technology, and possesses an intimate level of knowledge of browser architecture and internals, particularly as expressed against contemporary web applications and web-enabled frameworks (e.g., WebRTC, PWAs, REST APIs and websockets frameworks). The lead uses deep technology skills to understand technology risks associated to browsers and client-side web application contexts, and assists software architects, control owners, and technology strategy teams in identifying and navigating architecturally significant technology and risk landscapes. The lead partners with technology leaders from other enterprise technology functions in designing and fulfilling the enterprise browser strategy.

Primary Responsibilities

* Research, understand, and interpret browser security requirements into practical control objectives and controls
* Evaluates the fulfillment / achievement of browser security objectives across enterprise and third-party web applications
* Active participant in browser standards and innovation processes, understands browser technology roadmap and anticipates and articulates architectural ramifications of changes to browser technology
* Identify enterprise risks, including risks of known unknowns and unknown unknowns, related to browser technology
* Subject matter expertise in application security of one or more major enterprise web application platforms used by Bank of America, incl. but not limited to Java / J2EE, .Net, Mobile (iOS and / or Android), Big Data, Python, Mainframe
* Apply and interpret application security objectives in context of designated platforms
* Identify, champion, and supervise the implementation of defensive controls, methods and processes within Bank applications
* Contribute to an enterprise library of application security components and systems through vendor selection, evaluation, and original contributions
* Pro-actively engage stakeholders, including development managers, developers, architects, and governance bodies in the Bank to achieve security objectives
* Deliver multiple technology projects across multiple teams
* Regularly interact with senior technology and business management, requiring the ability to explain complex technical matters in a way both technical and non-technical personnel can understand
* Manage business partner relationships to deliver a seamless and responsive workflow
* Collaboratively develop technical architectures, processes and procedures pursuant to application security objectives together with business and technical partners
* Deliver training and collaborate with internal and approved external knowledge-sharing bodies
* Develop processes and procedures to advance application security objectives, suitable for adoption throughout the Bank
* Contribute to and interpret enterprise policies, standards, and baselines and mentor personnel with less experience or knowledge of the same

Required Skills


* Expert knowledge of one or more browser implementations, preferably among Chrome (or Chromium-family), Safari, Firefox
* Knowledge of relevant standards and standards activity, including IETF (e.g., HTTP, TLS, and networking), W3 (e.g., WebSockets, PWAs/Service Workers) as well as platform-specific standards
* Exposure to application security testing techniques
* Able to read and write software in at least one programming languages such as C, C++, .Net, Java, Python
* Comprehensive understanding of at least one application security life cycle, up to and including operations, maintenance and decommissioning
* Knowledge of at least three application security testing methodologies and approaches, including formal methods, system level security, SAST / DAST, threat modeling, ethical hacking and crowd-sourcing
* Knowledge of cryptographic algorithms, architectures
* Experience with business planning, governance and management of application development or application security functions at a systemically important financial institution
* Ability to write policies, standards and baselines around application security and associated topics

Required Experience Level:


* 5-10 years of progressive experience in application security and / or software development, at least 2 years of experience with client-side web programming
* Bachelor's degree or higher in CS, IT, a related technical or engineering field
* Experience working in the financial sector
* CISSP or similar professional certification, or commensurate experience
* Desired Skills:


* Technical writing skills
* Public speaking skills
* Cyber security experience at a systemically important financial institution
* Experience working at a bank, credit union, money services business, or similar
* Experience with online collaboration tools and technologies such as Sharepoint, Slack, HipChat, video conferencing
* Experience with source control, agile development, bug tracking, build automation, and change control platforms
* Understanding of contemporary networking technologies, e.g., TCP/IP, routing, subnetworking, firewalls, VPN and DMZ
* Knowledge of one or more contemporary endpoint architectures, including Mac, Windows (workstation and/or server), Linux, iOS, Android, mainframe
* Experience with dynamic application security defensive technology, such as WAF, RASP, and compiler security mechanisms and language-theoretic security
* Knowledge of NIST 800 series, FIPS standards, ISO 27000 series, CSA and related standards

Posting Date: 06/29/2019

Location: Denver, CO, Union Station, 1801 16th St, Chicago, IL, 135 S LA SALLE ST (IL4135), Jersey City, NJ, 101 HUDSON ST (NJ2101), Addison, TX, 16001 N Dallas Pkwy (TX8044), Annandale, VA, ANNANDALE BC, 7400 LITTLE RIVER TPKE, - United States

Travel: No

Full / Part-time: Full time

Hours Per Week: 40

Shift: 1st shift