This role is responsible for acting as a technical lead for the Mobile Application Security Review (MASR) team. The Application Security Management organization is responsible for several key information security functions including application security scanning in the SDLC, vulnerability management and governance. The MASR team is responsible for performing security testing on mobile applications and managing the remediation of the findings, on both iOS and Android platforms.
Responsibilities of this position will include but not be limited to the following:
Provide technical direction and strategy for team, including performing evaluations of new tools and services.
Act as technical liaison between Mobile Application Security and mobile application development teams, including guiding teams towards strong application security practices and remediating known risks.
Implement automation efforts to reduce manual workload and deliver results to customers effectively
Develop and implement continuous service improvements to Mobile Application Security Management program
Leads other technical resources on team, providing support and solutions to service application development partners
Delivers next generation application security controls, socializing with application teams to ensure strong adoption and solves technical barriers with tools and processes
Works individually and with teams on both structured and unstructured assignments
May participate as subject matter expert or lead multiple moderately complex initiatives
May be required to provide off hours support
The successful candidate will be a results driven, flexible team member possessing the following required qualifications:
Typically holds a Bachelor's degree in Computer Science, Information Systems, or other related field (or equivalent work experience).
Professional Audit or Information Security certification strongly preferred (e.g. CISA, CISSP, CISM, etc.)
Prior experience with CI/CD, DevOps, and Application Development preferred
Requires expert level knowledge in tools and/or processes to reliably identify mobile application security issues and business logic flaws (SAST, DAST, RASP, etc)
Strong knowledge of open source and commercial security tools and frameworks for mobile application security, including but not limited to Kali Linux, Zed Attack Proxy (ZAP), BURP Suite, NowSecure, HP Fortify on Demand, Data Theorem, SonarQube, FindBugs, etc.
Knowledge of frameworks, standards, and best practices (i.e. OWASP, NIST, PCI, ISO, COBIT, COSO, CMMI) is a plus
Requires knowledge of business and technical functional capabilities in the following areas: security architecture; security engineering; threat management; vulnerability management; computer and data breach incident management; security policies and standards; data security; network security; system security, technology operations and compliance.
Typically possesses prior IT and business work experience with exposure to various technical environments and business segments, and some experience working with auditors and regulators.
Superior skill in organizing, managing and interpreting data
Proven communication skills, the ability present information clearly and concisely to all levels of management both formally and informally
Requires experience in analyzing large amounts of data, interpreting results, and making recommendations
Strong time management skills, and the ability to prioritize and multi-task.
In-depth experience with desktop software and office automation tools
Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions.