Works under minimal supervision. This position requires close communication with the product management, engineering, as well as the leadership teams to provide consultation around product cyber security risks.
• Provide support to the roll out of an organization wide Software Security Development Lifecycle Policy
• Monitor each phase of software development process and attest to successful completion of each security requirement and activity throughout the development lifecycle
• Attest to compliance (or non-compliance) with security and privacy requirements in the Product Development Process and during related stage gate reviews
• Advise in and support training efforts for product Security Champions and Security Advocates
• Partner with product Security Champions to conduct product security assessments and threat models
• Consultation in product strategies for programs as an advisor on product cyber security risks
• Advise product security champions and development team members on proper implementation of the Software Security Development Lifecycle policy and how it applies to their product and threat model
• Participate in program increment / sprint reviews to keep up to date product develops and how it may relate or impact organizational risk / security
• Perform detailed Quality Assurance (QA) review of web-based applications; identify and validate application vulnerabilities; and perform actual remediation at architectural and source code levels.
• Assist product security champions in completion of product specific Incident Response Plans
• Serve intermittently as a member of the Global Product Security Incident Response Team (GPS-IRT)
• Attend industry training / conferences and roundtable forums (example OWASP AppSec, RSA, Black Hat) to stay up to date on latest technologies, evolving threats and build relationships in the industry to help the organization become a leader in cyber security knowledge
• Educational requirements - BS/BA required, MS/MBA desired.
• Minimum of 3 years directly related in Software/Cyber Security
• Possess verifiable technical expertise in application security techniques and best practices
• One of the following certifications highly preferred - CSSLP, GSSP-.NET, CISSP, or related
• Prior application security program experience a plus.
• Experience with tools such as Fortify, AppScan, WebInspect, Burp, ZAP
• Demonstrable understanding of the Microsoft SDL, OWASP ASVS, and OWASP Top Ten projects
• Willing and able to travel domestic and internationally approximately 25% of time.
A little about us:
Johnson Controls is a global diversified technology and industrial leader serving customers in more than 150 countries.