Application Security Manager

 Montreal, Canada       Permanent contract        Information Technology


The Application Security (AppSec) Manager for Société Générale is responsible for implementing and managing the global DCS Application Security strategy to ensure that security controls are functioning efficiently and effectively in the realms of application and database security logging, monitoring, alert management, incident handling, vulnerability and configuration management.


The position also supports the DCS team in doing security research and development, product evaluations, consulting, project support, and any other operational tasks needed to support the overall requirements of the program and strategy.


The AppSec Manager is a hands-on position and provides technical expertise to establish and implement security related standards, procedures, and guidelines appropriate to securing the existing environment in partnership with various properties and Information Technology.


Consultative Services

  • Act as the main point of contact and expert in application and data security to the properties and network teams to offer solutions to new risks and threats

  • Support the AppSec Lead Engineer on all activities in collaboration with the application development teams and project teams, that is be able to take on hands-on work as needed (e.g., tight deadlines, issues, etc.)

  • Support the AppSec Lead Engineer with penetration testing and vulnerability threat assessments, security reviews and assessments, code reviews, etc. as needed, of new applications, changes to applications, third-parties, etc. as part of projects

  • Ensure the above activities are aligned with the VTA (Vulnerability Threat Assessment) team

  • Review and sign-off on all recommendations on possible improvements resulting from the work performed as part of projects

  • Provide official sign-off on projects after reviewing all security deliverables prepared by the AppSec Lead Engineer


Operational Planning & Management

  • Support the activities of the AppSec lead Engineer with the DCS Application Protection Systems (APS) once they are in place (APS includes various AppSec tools such as web application firewalls, code review tools); be able to be hands-on to get the work done timely

  • Validate and support the security requirements identified for the logging and monitoring activities of the APS

  • Validate and support the integration of these requirements within the DCS logging and monitoring (SIEM/LMR) framework in collaboration with the SIEM/LMR Team

  • Support the AppSec Lead Engineer in the deployment of the enterprise-wide database encryption solution (to be selected)


Security Risk Management

  • Manage the AppSec aspect of various audits, PCI, assessments, etc. to ensure that all outstanding findings and gaps are resolved by the various properties and IT

  • Partner with the DCS Management Team to build an integrated end-to-end security risk and compliance framework to protect the Company's information assets and supporting resources

  • Act as the main point of contact for the design and deployment of the company's security risk management framework as it relates to AppSec

  • Develop, implement and manage AppSec policies, standards, procedures, and guidelines that will assist the application development teams in integrating security requirements within their applications and databases

  • Establish integration points for application security testing, review, and oversight into the change management and software development lifecycles

  • Be a major influence in promoting the technical understanding of new and existing information AppSec standards, solutions and tools with respect to applications (Web-based, Legacy, etc.) and databases

  • Using the DCS security risk management framework, ensure that all AppSec activities (e.g., penetration testing, vulnerability threat assessments, threat modeling, security reviews and assessments, code reviews) are conducted with the utmost qualitY

  • Develop and manage detailed security reviews and assessments, security exposure analysis of business applications and databases: (1) Assess potential damage of security flaws and assist in the implementation of corrective actions; (2) Identify, document, and report security issues and concerns to management; and (3) Monitor corrective actions and recommending cost-effective preventive measures to preclude recurrences

  • Review and sign-off on all AppSec deliverables including recommendations and remediation plans; this activity is executed in close collaboration with the Security Risk & Compliance Team

  • Monitor the effectiveness of corrective actions and recommending cost-effective preventive measures to preclude recurrences

  • Identify areas that would benefit Internal Audit, External Audit and other regulators to enable them to streamline their audit activities and leverage DDS security tools and processes; manage the overall integration of these groups within DDS


Incident Management

  • Perform as the AppSec point of contact for the Incident Response team and investigate any possible incidents impacting the company

  • Support the activities of the AppSec Lead Engineer in all SOC procedures



Research & Development

  • Design, implement and manage an application security operations lab to perform all required application and data security assessment, reviews, testing, etc. including evaluating, selecting, deploying and managing code scanning and review tools such as AppScan, Hailstorm, Web Inspect, Imperva, etc.

  • Evaluate and participate in outsourcing and/or third-party initiatives that involve the processing of applications and data

  • Provide technical briefings to the CISO and other key stakeholders such as the CTO on current security issues; contribute to the technical understanding and promotion of new and existing information security standards, solutions and tools; serving as a technical communication channel to the CISO

  • Provide R&D and consulting support to the DCS team, IT and business projects as needed


Documentation, Reporting & Analytics

  • Contribute to the design and implementation of an operational reporting framework that will provide regular metrics and statistics about our business and IT environment; analyze trends in security events, activities, etc. to better understand risks, insufficiencies in our solutions, staffing shortages, etc.; report security metrics and statistics to the CISO and other key stakeholders such as the CTO

  • Document and follow-up on AppSec exceptions relating to IT and property activities that could negatively impact security risks and/or not adhere to established policies, standards, or procedures

  • Manage all SOC requirements with regards to application and data security metrics and ensure that metrics are gathered daily

  • Manage all application and data security metrics for the quarterly CISO dashboard and other reporting requirements


Performance and Training Management

  • Mentor AppSec staff on fundamentals of security threats, vulnerabilities, and testing methodologies

  • Develop and administer an AppSec training program to less experienced AppSec staff and/or other non-security professionals (IT, properties, e.g.)

  • Manage and coach current direct reports to ensure they perform at the highest level of quality and are able to achieve current goals

  • Establish and monitor team's goals and ensure they are aligned with the CISO's security strategy and direction

  • Self-manage career in security by leveraging available courses in-house and courses offered externally; prepare a career plan for short-term and longer-term performance management


Organizational Planning and Management

  • Establish annual roadmaps of application and database security initiatives to align with business and DSS goals

  • Developing a long-term maturity model for the application and data security framework to include standards, testing, effectiveness, etc.

  • Coordinate projects with the IT and property teams and for projects internal to DDS

  • Assist with general administrative activities in collaboration with all team members

  • Manage vendors' activities and relationships as needed including SOWs, maintenance renewals, licensing updates, etc.

  • Prepare project plans and associated documentation

  • Prepare status reports and other management metrics as needed


Profile Required

Professional Experience

  • 7-10 years related business experience in application development, database, and application/database security required

  • Min 7 years with software penetration testing, secure code review, architectural risk assessment, and/or static code analysis

  • Previous experience in a management or leadership role

  • In-depth understanding of OWASP security concepts and common application security risks, such as XSS, XSRF, SQL Injection, Cookie Manipulation, etc.

  • Strong knowledge of change management processes and the software development lifecycle

  • Previous experience in application development with Java, Javascript, PHP, C, Rails, .NET, or other languages.

  • Solid knowledge of operating systems, relational database architecture, client/server technology, business data processing, database analysis and design theory, transaction processing systems, wide and local area networks, communications protocols, encryption standards, and authentication protocols.

  • Strong analytical skills, problem solving skills and project management skills

  • Extensive training in engineering disciplines including application and data security, systems programming, systems design, computer technology and software disciplines

  • Hands-on experience with secure software development and analysis a must


Education and Certifications

  • Bachelor's degree or equivalent business experience in Computer Science, Database Administration, MIS or Electrical Engineering required

  • Ethical hacking certification preferred as well as certified training in application security solutions and practices

  • CISSP, CISA, CISM, GSEC, or related certification(s) required

  • Knowledge of US Security regulatory requirements and environment in financial services industry a plus (i.e. FFIEC) preferred

  • Experience working in a global / international environment with a broad range of policies and procedures preferred



  • Exceptional communication skills - both verbal and written

  • Detail-oriented and organized

  • Break down complex problems into manageable units, develop solutions for each unit, and integrate them back into the whole.

  • Absorb new ideas quickly and then apply them pragmatically

  • Identifies key or underlying issues in complex situations

  • Assess the situation by identifying patterns or connections which are not obviously related

  • Capable of adjusting to new environments and work effectively in varied situations

  • Set goals and priorities that maximize the use of available resources

  • Team-oriented, client-focused and open to different ideas/viewpoints

  • Self-awareness of own behavior/work style, as well as tolerant of different needs and viewpoints

  • Interest in others’ opinions and shows consideration, concern and respect for other people


Business Insight

Data & Cyber Security (DCS) is globally responsible for securing and steering Information Security and Cybersecurity related risks for the Global Banking and Investor Solutions (GBIS) division and related Service Units. DCS is composed of diverse and talented professionals who translate ideas into action daily by combining the strength of its expertise with a deep understanding of GBIS and Service Unit needs.


DCS’s responsibilities cover the management of Information Security and Cybersecurity

frameworks and revolve around five areas of expertise – Identification, Protection, Detection, Response, and Recovery.


Within DCS, the Application Security team focuses on five key missions:

  • Application and Project Risks

  • Global Application Security

  • Third Parties

  • Operational Security

  • Controls Execution


DCS achieves this while promoting a collaborative, innovative, diverse and fun environment for its Information Security and Cybersecurity professionals.

We are an equal opportunities employer and we are proud to make diversity a strength for our company. Societe Generale is committed to recognizing and promoting all talents, regardless of their beliefs, age, disability, parental status, ethnic origin, nationality, sexual or gender identity, sexual orientation, membership of a political, religious, trade union or minority organisation, or any other characteristic that could be subject to discrimination.

Job code: 19000PC8
Business unit: SG CIB
Starting date: Immediate
Date of publication: 14/01/2020
Share on

Application Security Manager

Permanent contract   |   Montreal   |   Information Technology