Senior Application Developer - Information Security

 Montreal, Canada       Permanent contract        Information Technology

Responsibilities

Day-to-Day Responsibilities

  • Act as the main point of contact and expert in application and data security to the application development teams to offer solutions to new threats and risks in order to protect our customers’ and employees’ data
  • Perform the evaluation, selection, deployment, and management of application and data security tools such as code scanning and review tools, encryption solutions, MFA solutions, etc.
  • Participate in the bank’s application development lifecycle to ensure security controls, processes, and solutions are integrated within applications (e.g., participate in development meetings from analysis to implementation), addressing for instance:
  • Security event logging and monitoring (e.g., database monitoring such as Imperva)
  • Secure code practices (e.g., code scanning, source code reviews using tools such as Checkmarx)
  • Identity and Access Management (IAM), (e.g., SSO, MFA)
  • Implementation of web application firewalls
  • Deployment of encryption over NPI/PII
  • Review and sign-off on all recommendations on remediation action items resulting from the work performed as part of application development projects
  • Promote “Security by Design” practices across the application development teams and the business through multiple channels such as training classes, certifications, security toolkits, standards and guideline, etc.
  • Establish strong partnerships with the business and support line stakeholders for elevating awareness and proactive adoption of information security behaviors
  • Advise and challenge security proposals for new applications or significant changes to existing platforms
  • Attend new project tollgate meetings to review proposed solution architectures and advise on information security topics
  • Develop, implement and manage application-related security policies, standards, procedures, and guidelines that will assist the application development teams in integrating security requirements within their applications and databases
  • Ensure regional application security needs are adequately supported through formal compliance documents and related frameworks.
  • Ensuring cloud security compliance frameworks and controls are adequately defined, implemented and effective to support both compliance and best practice security requirements
  • Support core application security activities such as penetration testing, vulnerability threat assessments, security reviews and assessments, code reviews, etc. to ensure existing and new applications meet the required security policies and regulatory requirements (such as FFIEC and NYSDFS 500)
  • Ensure application security activities are aligned with the Vulnerability Management (VM) team to track and monitor application vulnerabilities identified as part of the bank’s VM program
  • Manage the assembly, monitoring and reporting on application security metrics to ensure transparency, compliance and steering of the perimeter
  • Generate application security metrics for regional and global dashboards (automate whenever feasible)
  • Provide application security support during cybersecurity incidents adhering to the bank’s Security Incident Response Management framework
  • Evaluate and participate in outsourcing and/or third-party initiatives that involve the processing of applications and data
  • Provide technical briefings to senior management (e.g. CISO, CIO, etc.) on security topics
  • Manage key operations controls:
  • Technical Security Assessment (TSA) – Execution through the Cyber Security Center of Excellence (CoE) in Bangalore and preferred security consulting firm
  • Static Application Security Testing (SAST) – Code testing performed through Checkmarx
  • Network Penetration Testing – Test execution performed by external third-party and includes both outside-in and inside-out network penetration tests
  • Application Sensitivity Assessment (ASA)

Profile Required

Professional Experience

  • 7-10 years related business experience in application development, database required (proficient in speaking the language of application developers)
  • Understanding of OWASP security concepts and common application security risks, such as XSS, XSRF, SQL Injection, Cookie Manipulation, etc.
  • Strong knowledge of change management processes and the software development lifecycle
  • Strong hands-on experience in application development with Java, JavaScript, PHP, C, Rails, .NET, or other languages.
  • Solid knowledge of operating systems, relational database architecture, client/server technology, business data processing, database analysis and design theory, transaction processing systems, wide and local area networks, communications protocols, encryption standards, and authentication protocols.
  • Strong analytical skills, problem solving skills, and project management skills
  • Extensive training in engineering disciplines including application and data security, systems programming, systems design, computer technology and software disciplines
  • Preferred some experience with software penetration testing, secure code review, architectural risk assessment, and/or static code analysis

 

Education and Certifications

  • Bachelor's degree or equivalent business experience in Computer Science, Database Administration, MIS or Electrical Engineering required
  • Ethical hacking certification preferred as well as certified training in application security solutions and practices
  • CISSP, CISA, CISM, GSEC, or related certification(s) required
  • Knowledge of US Security regulatory requirements and environment in financial services industry a plus (i.e. FFIEC) preferred
  • Experience working in a global / international environment with a broad range of policies and procedures preferred

 

Competencies

  • Quick learner in application security domains
  • Exceptional communication skills – both verbal and written
  • Detail-oriented and organized
  • Break down complex problems into manageable units, develop solutions for each unit, and integrate them back into the whole
  • Absorb new ideas quickly and then apply them pragmatically
  • Identifies key or underlying issues in complex situations
  • Assess the situation by identifying patterns or connections which are not obviously related
  • Capable of adjusting to new environments and work effectively in varied situations
  • Set goals and priorities that maximize the use of available resources
  • Team-oriented, client-focused and open to different ideas/viewpoints
  • Self-awareness of own behavior/work style, as well as tolerant of different needs and viewpoints
  • Interest in others’ opinions and shows consideration, concern and respect for other people

 

Languages: (Other than English)

  • French (a plus)

Business Insight

Data & Cyber Security (DCS) is globally responsible for securing and steering Information Security and Cybersecurity related risks for the Global Banking and Investor Solutions (GBIS) division and related Service Units. DCS is composed of diverse and talented professionals who translate ideas into action daily by combining the strength of its expertise with a deep understanding of GBIS and Service Unit needs.

 

DCS’s responsibilities cover the management of Information Security and Cybersecurity

frameworks and revolve around five areas of expertise – Identification, Protection, Detection, Response, and Recovery.

 

DCS achieves this while promoting a collaborative, innovative, diverse, and fun environment for its Information Security and Cybersecurity professionals.


The Sr. Application Developer - Information Security for Société Générale is responsible for implementing and managing the DCS Application Security strategy and supporting programs in the AMER region to ensure that security controls are functioning efficiently and effectively in the realms of application and database security logging, monitoring, alert management, incident handling, vulnerability and configuration management. These activities are performed in tight collaboration with application developers located in the AMER region and globally (e.g., India, France).

 

The position is hands-on and provides technical expertise to establish and implement security-related standards, procedures, and guidelines appropriate to securing the existing environment in partnership with various application development teams, engineering teams, and the business.

 

The position also supports the DCS team in doing security research and development, product evaluations, consulting, project support, and any other operational tasks needed to support the overall requirements of the Information Security program and strategy.

 

The bank will provide the necessary security and technical training curriculum and certification(s) for the candidate with proven and practical experience in application development activities, SDLC methodologies, programming and scripting languages, systems integration, analysis/design, etc. Candidates need to be able to demonstrate a strong control and data-centric mindset in their application development practices.


We are an equal opportunities employer and we are proud to make diversity a strength for our company. Societe Generale is committed to recognizing and promoting all talents, regardless of their beliefs, age, disability, parental status, ethnic origin, nationality, sexual or gender identity, sexual orientation, membership of a political, religious, trade union or minority organisation, or any other characteristic that could be subject to discrimination.

Job code: 19000PC8
Business unit: SG CIB
Starting date: 30/03/2020
Date of publication: 15/02/2020
Share on

Senior Application Developer - Information Security

Permanent contract   |   Montreal   |   Information Technology