Application Security Analyst

Your opportunity

The Schwab Application Security Team, under the leadership of the Chief Information Security Officer (CISO), is tasked to protect information assets in support of Schwab business objectives and in conformity with Schwab policies.  The Application Security Team is a core function of Schwab Cybersecurity Services and is primarily responsible for establishing and guiding the Secure Software Development Program within Schwab.  These activities include creation and rollout of software security policies and best practices, software security architecture, software security scanning, penetration testing, and the education of Schwab software developers and testers in security best practices.  The Software Security Engineer ensures the control and protection of software, improves the software development process, and minimizes defects and vulnerabilities in software production.

Well qualified candidates for this position will demonstrate the following key traits:

Prior engineering experience on a Software Security Assurance team Experience partnering with development teams to balance innovation and security concerns. Capable of analyzing large amounts of disparate data to produce easily understandable content. Experience with various application security tools including Software Composition Analysis (SCA), Static Application Security Testing (SAST), secrets management, and Dynamic Application Security Testing (DAST).

Well qualified candidates will also demonstrate expertise in the following technical areas:

Application engineering experience in software development Solid knowledge in application vulnerability types, attack vectors and remediation approaches Industry best practices for secure software development include software security design requirements. Application penetration testing and vulnerability scanning tools such as Fortify and how to integrate with agile SDLC. Proficiency with IP protocols and associated security mechanisms: TCP/IP, HTTP, SSL/TLS, PKI. Familiarity with well-known application security sources and standards such as OWASP, WASC and NIST. Experience with solutions for WAF/RASP technology for runtime application monitoring and protection. 2 years of experience with static and dynamic analysis and/or threat modeling tools Experience implementing enterprise deployment of application security tools, services, and controls. Solid understanding of a variety of software security practices, secure code reviews, threat modeling, security requirements analysis and architectural risk analysis

What you have

Key Accountabilities:

• Ability to positively influence the behavior of peers and build relationships with other teams without direct authority over those teams.
• Assess current practices and recommend changes to relevant policies to ensure state of the art development practices as they relate to security.
• Review security of software and identify and remediate vulnerabilities.
• Provide necessary input to philosophy and practices around software development.
• Help ensure security of software produced or procured by SCHWAB to prevent loss, inaccuracy, alteration, unavailability, or misuse of data.
• Recommend security requirements for the software development process.
• Support tools to help enable security requirements as part of application development process.
• Integrate software security scanning and testing into SCHWAB’s software development, build and testing programs.
• Work with application developers in security best practices and secure coding.
• Conduct software security testing, including penetration testing, to verify that the software complies with security requirements.
• Review, inspect and walk through source code to help developers understand vulnerabilities and provide advice to developers on remediation.
• Develop automated application specific threat models to identify security design flaws and provide guidance on application specific risks and controls.
• Identify security vulnerabilities as a result of security bugs, coding errors, omissions, and defects.

Desired certifications:

• Information Security and control certifications a plus (CISSP, CSSLP, GWEB, CISA, CISM, CEH, CRISC, etc.)