Help us maintain the quality of jobs posted on PowerToFly. Let us know if this job is closed.
Job Details
About the Role: Grade Level (for internal use):12 The Team: S&P Ratings Security team focuses on protecting our clients and users from all aspects of modern-day security threats. The mission of our team is to safeguard systems and data by developing innovative solutions for the biggest security challenges. We are passionate problem solvers with deep security expertise. Responsibilities and Impact: We are looking for a Lead security engineer responsible for security testing including penetration tests, vulnerability scanning, threat assessments, attack simulations, and red/purple team assessments to enhance security of S&P Ratings Applications and Services. This position is a technical lead role with an opportunity to utilize their expertise in open-box penetration testing, threat modeling, mixed closed and open-box application security analysis, and vulnerability assessment. This position will collaborate with software development teams, DevOps, and SRE to drive security in to how we design, build, deploy, and operate applications. Responsibilities include mentoring junior engineers and maturing the team’s capabilities and processes. A successful candidate for this position will:
- Security/penetration test web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques
- Build scripts, tools, or methodologies to enhance offensive security testing
- Have expertise with different types of vulnerability assessment tools or related experience in vulnerability detection DAST/SAST tools
- Employ advanced techniques including reverse engineering, fuzzing, and conduct research to identify new and novel attack vectors
- Possess sound knowledge of common infrastructure and web application vulnerability categorizations such as CVE, CVSS, CWE
- Experience in analyzing, identifying, and developing remediation plans for vulnerabilities
- Sound understanding of application & web-based attacks
- Exploit development background who can discover new vulnerabilities in the systems and applications
- Understanding of how applications, cloud networking, operating systems, and databases work to design new attacks
- Analyze findings from a variety of application security tools (DAST, SAST, SCA, Credential Scanning) to secure web applications during development and production run-time
- Effectively communicate findings, attack paths, and recommendations, and strategy to technical and executive client stakeholders through written reports and verbal presentations
- Demonstrate risk of detected issues to both technical and non-technical audiences, recommend code changes to eliminate vulnerabilities
- Automate security testing at various stages within the CI/CD pipeline
- Develop secure coding standards and training across multiple application frameworks and technologies to address security-test findings
- Bachelor’s Degree in Computer Science, Information Systems, or equivalent work-related experience
- Minimum 8 years total experience in a technical role such as security engineer with software development experience
- Design, implementation, and operation of a secure software development lifecycle
- Experience with web application security/penetration testing and common attack vectors
- Experience with secure application development
- Experience with defense-in-depth strategies to help mitigate existing risk within applications
- Software development experience in a common programming language: Java, Python, C#
- Scripting/programming skills - Python, PowerShell, GoLang, Perl, JavaScript, .NET, API Integration
- Security tooling automation in CI/CD pipelines and IDE interfaces including Static Application Security Testing (SAST) and Static Application Analysis (SCA) solutions, Dynamic application security testing (DAST)
- Experience reproducing proof of concept exploitation steps
- Deep application security knowledge, with the ability to map an application vulnerability to exploitation indications and relevant investigative techniques
- Familiarity with standardized penetration testing and red teaming standards and procedures, such as NIST SP-800-115 and TIBER-EU.
- Health & Wellness: Health care coverage designed for the mind and body.
- Flexible Downtime: Generous time off helps keep you energized for your time on.
- Continuous Learning: Access a wealth of resources to grow your career and learn valuable new skills.
- Invest in Your Future: Secure your financial future through competitive pay, retirement planning, a continuing education program with a company-matched student loan contribution, and financial wellness programs.
- Family Friendly Perks: It’s not just about you. S&P Global has perks for your partners and little ones, too, with some best-in class benefits for families.
- Beyond the Basics: From retail discounts to referral incentive awards—small perks can make a big difference.
About the Company
S&P Global
United States
At S&P Global we transform data into Essential Intelligence®, pinpointing risks and opening up possibilities. We Accelerate Progress in the world.... Read more