Mobile Security SME - Technology Risk Morgan Stanley
New York, NY

Job Description

The Security Architecture (SecArch) team is part of the Technology Risk (TR) organization. The mission of the SecArch team is to provide security architecture assessments of technology systems and processes to identify business risks and recommend remedial action based on established security standards or security best practices.

The SecArch Mobile Security SME, VP is an internal consultant that is working on multiple security architecture and design assessments spanning a range of technologies, primarily related to mobile solutions. The architect is expected to be capable of conducting a security architecture review from a general scope, while having subject matter expertise in mobile security that includes an in-depth knowledge of mobile platform risks, management controls, and application security. It is an opportunity to get involved in multiple business units and technologies inherent to the mission of SecArch and to act as a leader within the Firm. The architect works with team members (Technology, Business, Suppliers, Stakeholders and Partners) globally to perform SecArch assessments. To be successful in this role, the candidate must have deep mobile technology subject matter expertise and broad overall technology & security experience coupled with risk management, leadership, communication, and time management skills.

A SecArch Mobile Security SME has the following responsibilities:

* Work independently to lead SecArch deep dives with business and technology requestors


* Conduct assessment and provide technology risk/requirements to the requestor. Areas covered:


* Authentication, Authorization, Auditing


* Secure data transport and storage


* (Mobile) Application Security ? Session Security, Vulnerability/Pen Testing items, Input Validation, Data storage/protection, application hardening


* Infrastructure - Infrastructure supporting mobile applications/platforms, such as MDM


* Prioritize risks identified in relation to business risks


* Propose solutions to mitigate risks identified


* Establish and communicate mobile security posture


* Leverage existing expertise in mobile security to identify gaps in current technology environment and provide strategy for risk reduction


* Perform hands-on assessments of mobile applications and platforms as part of control validation and strategy definition.


* Produce position papers and knowledge articles on testing/research performed.


* Periodically review security reference architecture (security blueprints) and conduct updates/enhancements *L1-FG1



Qualifications:

Soft Skills (Required)

* Excellent communication skills: written, oral, presentation, listening


* Ability to influence through factual reasoning


* Time management: ability to handle multiple concurrent assessments, plan based deliverable management, strong follow up and tracking


* Strong focus on delivery when presented with short timelines and increased involvement from senior management


* Ability to adust communication of technology risks vs business risks based on the audience



Security Architecture Skills

* Required In depth knowledge of mobile, application, network and platform security vulnerabilities. Ability to explain these vulnerabilities to developers


* Required - Experience with deployment of mobile applications/infrastructure in an enterprise setting.


* Require Experience in conducting Information Security, IT Security, Audit assessments. Presenting the outcomes of the assessment and obtaining buy in.


* Required Strong focus on reviewing technical designs and functional requirements to identify areas of Security weakness.


* Desired The candidate must have working experience in the following application/network security domains:


* Authentication: SAML, SiteMinder, Kerberos, OpenID


* Entitlements and identity management


* Data protection, data leakage prevention and secure data transfer and storage


* App Security - validation checking, software attack methodologies


* Cryptography encryption and hashing


* Desired Knowledge of standard network model and the risks that present at each layer, the functions of network equipment such as switches, routers, firewalls, proxies, vpn, and load-balancers, and to understand network architecture.Desired - The candidate must have working knowledge of the primary operating systems (iOS, Android, Unix/Linux Windows, z/OS, Mac OS), the configuration and management of that platform at an enterprise scale, the security risks to that platform, and how to mitigate those risks.


* Desired - experience in testing tools, at least one of Veracode, Fortify, OunceLabs, AppScan, WebInspect, Burp



Development Experience

* Required Even though the SecArch Integrator role is not a development role, the candidate must have previous background in programming, design and application architecture.


* Required In order to be a practical SecArch Integrator the candidate must have experience implementing complex applications in an enterprise environment.


* Required - working knowledge of mobile application development programming languages and solutions: Objective-C, Swift, Java, JavaScript, Cordova


* Desired In-depth knowledge of web technologies such as Web Browsers, Web Servers, Web Services



Other Areas of Expertise

* Required - Knowledge of mobile operating system architecture, specifically iOS and Android.


* Required - Knowledge of Mobile Device Management tooling.


* Experience in conducting and / or reviewing penetration tests, dynamic vulnerability assessments and static vulnerability assessments


* Understanding of geographic regulations and their impact on Security assessments


* Previous experience in Financial Services is preferred


* CISSP, GMOB, or other industry qualification


* Desired experience working with global organizations



Educational Requirements

Bachelor's Degree with minimum 5 years relevant work experience in high-paced, enterprise environment *L1-FG1