SSUSA Job #948: Application Security Risk Analyst

Job Description


One of our financial clients in NYC is seeking an Application Security Risk Analyst, you will be expected to contribute both on an individual application basis as well as a member of the Information Security and Compliance department to raise the application security standards across the organization by developing an application security framework, including  SDLC development, standards and guidelines for application developers, helping the development teams identify application security vulnerabilities through a combination of security assessment techniques, and disseminate specialist application security knowledge to the development communities.


·       Work with various senior IT leaders and application development areas to develop and implement SDLC Program according to the organization’s unique information security risk management, governance, risk, and compliance processes;

·       Provides oversight/governance of the SDLC Program and communicates progress and issues to the CISO, Senior Business / IT Leadership and Application Development teams;

·       Serves as a consultant to disseminate the specialist application security knowledge to the development communities;

·       Researches and evaluates solutions and recommends the most efficient and cost effective solutions for ensuring that security is built-in to all phases of the SDLC;

 ·       Leads demonstrations of application security tools to business and application development teams;

 ·       Responsible for the development and maintenance of Static and Dynamic Code Analysis Tools (Such as Veracode etc.) scanning policies, user provisioning and security strategy documents, and any other related documentation;

·       Engages Veracode and/or other third-party suppliers of application security software on system defects, support issues;

       Research and investigate new and emerging vulnerabilities, to include 0 Day events, and participate in external security communities

·       Develop and implement a process for regular user recertification;

·       Validate the removal process for application access for terminated employees;

·       Perform semi-annual user access and entitlement reviews across the organization;

·       Perform quarterly reviews and recertifications of privileged accounts;

·       Identify and document the various functions and processes within each application;

·       Develop and maintain SOD matrices for each application used within the organization along with identification of toxic combinations;

·       Identify any conflicting duties based on the SOD Matrix and toxic combinations and perform remediation;

·       Develop roles and access profiles based on the SOD in collaboration with the business users;


·       Identify and document list of users and mapping to various functions and processes;


·       Experience as a Security Engineer specifically for applications and understanding of SSDLC Framework.

·       Strong background in application security assessments.

·       Experience in application security assessments (white box, black box, code review and forensic testing.

·       Hands on experience with application security tools like Veracode, IBM AppScan, Fortify, Web Inspect, and Burp Suite etc.

·       Experience in integrating application security processes in CI/CD pipelines

·       Knowledge of application security processes and standards including OWASP (ASVS etc.), CVSS rating, factors impacting risk rating etc.

·       Some system administration and coding experience with at least .NET, J2E, Python etc.

·       Experience with web services (API) architecture, security reviews and testing.

 ·       Solid understanding of encryption, certificate and key management services



Job Location
New York City

Position Type