Since 1918, it has been TIAA’s mission to serve, our ability to perform and the values we embrace that make us a different kind of financial services organization. We’re dedicated to serving the financial needs of those in the academic, medical, cultural, governmental and research fields, and committed to helping make lifetime financial well-being possible for them.
By building a culture that allows all employees to contribute their unique talents and skills, we’re able to provide our customers with fresh ideas and distinct perspectives to help them achieve their goals. We believe a diverse and inclusive workforce is one of our greatest strengths and a key measure of our success*.
For more information about TIAA, visit our website.
This candidate will be primarily responsible for assessment of application source codes, dynamic application testing and other testing duties as necessary to ensure system compliance to security standards and baselines. Assessments will cover a complex application environment including a mixture of mostly J2EE, with some .Net and other languages/platforms. All discovered vulnerabilities must be registered with central management tools and communicated to the responsible parties and action plans developed for timely remediation. Metrics and reporting to senior management will demonstrate overall security risk reduction and business benefit of this program.
KEY RESPONSIBILITIES AND DUTIES:
- Planning and managing the delivery of Application Security tests (both automatic and manual), and source code reviews on high risk web applications
- Partnership with Risk, Compliance, and Audit to determine the high risk applications and creation of formal testing schedules
- Responsible for managing or providing developer application security awareness and education
- Application inventory administration of automated source code security solutions
- Assisting with the development of a best-in-class testing methodology based on application risk scoring
- Provide expert assistance to application groups concerning application security
- Support the Information Security project team by leading efforts requiring application security subject matter experts
- Technical skills
- Windows, UNIX and Linux operating systems, Active Directory
- C, C++, C#, Java, ASM, PHP, PERL
- Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
- Computer hardware and software systems
- Web-based applications
- Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
- Security tools and products (Fortify, AppScan, etc.)
- Vulnerability analysis
- 3-5 years or more of related experience in Information Security performing any of the following: secure source code analysis, ethical hacking, and penetration testing.
- Experience with object oriented development with Java or .Net
- Working knowledge of various development platform and framework, including but not limited to one or more of the following: Maven, ANT, ATOM, SPRING
- Understanding of current threats and exploits to include experience with threat remediation
- Understanding of OWASP methodology
- Experience with application vulnerability assessment tools (IBM, HP, or open source)
- Understanding of common application security issues & risks
- Application security experience with remediation of SQL injection, buffer overflows, parameter manipulation, cross-site scripting, etc.
- Strong oral and written communication skills
- Bachelor degree in Computer Science / Information Systems
- Military or Government security experience is a plus
- Development background using Eclipse or Visual Studio desirable
- Security certifications such as CISSP, CSSLP, GIAC, Security+ desirable
- Strong technical, operational expert that can implement technology that enables business processes
- Experience with mobile application development a plus
- Understanding of operating systems and application security configuration
- Knowledge of one or more risk assessment methodologies a plus
- Ability to grasp new technology concepts quickly and assist others in understanding them as well
- Ability to work in a team environment and interact with people. Ability to meet pressured deadlines and time constraints
- Ability to communicate findings to non-technical / non-IT personnel with sufficient clarity as to understand the risk entailed in the finding; including suggested resolutions for remediation
Equal Employment Opportunity is not just the law, it’s our commitment. Read more about the Equal Employment Opportunity Law.
If you need assistance applying due to being visually or hearing impaired, please email Careers Help.
This organization is an equal employment opportunity (EEO) employer, dedicated to maintaining a work environment free of bias, harassment, discrimination and retaliation. As an EEO employer, this organization expressly prohibits discrimination, harassment, and retaliation on the basis of race, creed, ethnicity, color, age, religion, sex, sex stereotype, pregnancy (including childbirth, breastfeeding or related medical conditions where applicable), sexual orientation, gender, gender identity, gender expression, transgender, marital status, national origin, ancestry, physical or mental disability, requesting a reasonable accommodation based on mental or physical disability, medical condition (as defined by applicable law), genetic history and information, citizenship status, military or veteran status, or any other status protected by federal, state, or local law or ordinance or regulation (collectively referred to here as “protected characteristics”).
*©2016 Teachers Insurance and Annuity Association of America (TIAA), 730 Third Avenue, New York, NY 10017