Job Description

ROLE: Cybersecurity Design Reviewer/Architect

WHO WE ARE:

We are responsible for detecting and preventing attempted cyber intrusions against the firm, helping the firm develop more secure applications and infrastructure, developing software in support of our efforts, measuring cybersecurity risk, and designing and driving implementation of cybersecurity controls. The team has a global presence across the Americas, APAC, India, and EMEA.

Within Technology Risk, Advisory is the consultative and technology subject matter expertise arm, responsible for assessing new technology initiatives for risk, partnering with engineers to architect, design, and maintain secure applications and infrastructure, embedding implementation reviews as part of the SDLC and CI/CD pipeline via code analysis and penetration testing, and guiding technology innovation in terms of security and control.

The team plays a critical role in designing and assessing controls for our transition to building native public cloud applications.

HOW YOU WILL FULFILL YOUR POTENTIAL:

You will be part of the global Technology Risk organization, overseeing a subset of business-critical applications. Within that scope, your job will be to review and consult major application changes at the design/architecture stage, from the information security perspective. You will be the security-related single point of contact for your application teams, aggregating signals from additional sources like penetration tests and bug bounty reports, to advocate for best-in-class security standards.

Your responsibilities will include:

• Conduct cybersecurity design reviews, including those for AI and machine learning solutions, challenging and validating architectures prepared by development teams to ensure robust security practices are embedded from the start.

• Serve as a cybersecurity advisor, providing expert guidance and best practices to teams on secure design and implementation strategies, with a particular emphasis on web applications and AWS infrastructure.

• Drive organizational change by creating, documenting, and promoting effective security patterns, and actively supporting developers in applying them within their projects.

• Conduct Read-out Calls with the business to articulate risk and recommend a mitigation strategy.

• Analyse reports and findings from penetration tests and code reviews, guiding development teams in the effective resolution of identified security issues.

• Mentor and support junior team members, fostering their growth and development within the cybersecurity discipline.

BASIC QUALIFICATIONS:

• 4+ years’ experience in one or more technical roles (focusing on application security and cloud security).

• Prior experience in performing Threat Modeling, Secure Design Reviews or Secure Architecture Reviews.

• Degree in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security.

• Practical knowledge of the most common cybersecurity vulnerabilities - e.g., OWASP Top 10 and cloud security gaps.

• Strong experience with AWS security services and best practices (e.g., IAM, Security Groups, KMS, CloudTrail, GuardDuty, Inspector).

• Knowledge of authentication and authorization protocols, including OAuth, OIDC, and SAML.

• Knowledge of secure coding practices.

• Familiarity with Security standards such as OWASP Testing Guide, OWASP ASVS, NIST, and SANS Top 20.

• Knowledge of common security controls and how they apply to different architectures and systems, including but not limited to authentication, monitoring, input validation, and secure configuration.

• Experienced in application vulnerability assessment and penetration testing. Proficient with security tools such as scanners, debuggers, and HTTP proxies.

• Familiarity with modern and common web stack technologies (e.g., HTTP/2, HTML5, REST, etc.) and platforms (e.g., Spring Boot, React, NodeJS, Python, MS SQL, PostgreSQL, MongoDB, etc.).

• Knowledge of core cryptography (encoding, encryption, hashing, protocols) and their use and vulnerabilities in applications, such as TLS and algorithm-specific attacks.

• Strong English communication skills, both written and verbal, to effectively convey risks to technical and management stakeholders.

• Demonstrated ability to keep up-to-date with evolving security threats, vulnerabilities, and mitigation strategies through continuous learning and professional development.

PREFERRED QUALIFICATIONS:

• Understanding of network security vulnerabilities and associated risks.

• Proficient in operating system hardening and security protection

• Ability to conduct risk assessments for emerging technologies such as AI/ML.

• Experience in doing architecture review of Mobile applications.

• Understanding Kubernetes security principles and practices.

• Proficiency in cybersecurity principles and practices related to Azure and GCP.

• Experience with securing trading and payments platforms, including knowledge of relevant compliance requirements (e.g., PCI DSS).

• Knowledge of data Protection Strategies (data encryption at rest/in transit, access control policies, data masking, tokenization, data loss prevention, regular backups, etc.)

• Experience with infrastructure-as-code tools such as Terraform, CloudFormation or AWS CDK.

• Experience in crafting custom proof-of-concept application exploits using testing tools/frameworks or scripting exploits in Python, Perl, JavaScript, Shell scripting, etc.

• Certifications and training in related areas (e.g., AWS Certified Security - Specialty, GCP Cloud Security Engineer, Azure Security Engineer Associate).