- Edinburgh, Scotland, United Kingdom
- Permanent, Full time
Senior Application Security Analyst
Location: Edinburgh, Scotland, United KingdomMoody's IT Risk Management is looking for a Senior Application Security Analyst who will be aligned to the IT Risk function to support the Secure SDLC program and Application Security Architecture. This is a position requiring a background in application development, application security design review, application vulnerability remediation, metrics-driven reporting practices, and solid communication and organization skills.
The ideal candidate is very motivated and willing to take on challenges, able to prioritize and manage multiple tasks and has the ability work independently and with minimal oversight. The candidate has a broad understanding of cybersecurity, and a deep understanding of application development practices and remediating application vulnerabilities, and is able to articulate complex information through reports, dashboards, and presentations that tell a story.
The Application Security Architecture program supports Moody's Information Risk and Security team by identifying flaws in new application designs and planned application changes, working with application developers to architect solutions to security-related application challenges, providing detailed explanations and recommendations to application developers about vulnerability findings, and reporting key vulnerability remediation metrics and dashboards to Moody's management.
- The senior application security analyst will work with the various development teams to implement application security practices that meet Moody's defined policies and standards for information security.
- The senior application security analyst must analyze information security systems/applications; make recommendations and develop security measures to protect information against unauthorized modification or loss.
- The senior application security analyst will serve as subject matter expert for best practices and security controls
- Efforts will include:
- Serving as a subject matter expert for security in application projects
- Driving secure application development practices and a secure development mentality
- Managing the application vulnerability assessment process and tools (SAST and DAST) focused on web, client-server, and mobile applications
- Identifying, communicating, and driving the resolution of vulnerabilities
- Developing and updating security patterns aligned with security requirements
- Identifying application security requirements for projects
- Providing reports to development management and business management on the status of vulnerability remediation for their applications
- Performing functional requirement reviews and technical design reviews
- Coordinating and collaborating with server infrastructure engineering, network infrastructure engineering, business application development, and database administration functions to ensure confidentiality, integrity, and availability of corporate infrastructure meets business demands
- Performing other security-related projects that may be assigned according to skills
The Moody's Information Risk and Security team is globally responsible for helping the organization balance risk by aligning policies and procedures with Moody's business and regulatory requirements. The team is responsible for the development, enforcement, and monitoring of security controls, policies and procedures, disaster recovery programs, GRC (Governance, Risk and Compliance) reporting, and the delivery of security services including the company's Cyber Security program. Information Risk and Security management sets strategic direction for IT risk and security and aligns with stakeholders throughout the organization.
Moody's Information Risk and Security team
Technical Experience & Qualifications:
- Bachelor's degree or greater in a technical or business discipline
- Relevant experience, primarily in application development, information security, or a related field, preferably in the financial sector and/or supporting IT Risk or Information Security initiatives
- Experience and technical proficiency with modern application packaging, deployment, containerizing, bug tracking tools and other supporting tools (Jenkins, Maven, Docker, Kubernetes Jira, Rally, etc.)
- Experience and technical proficiency with modern source code management and software repository systems (Git/GitHub, Perforce, Subversion, Team Foundation Server, etc.)
- Experience and technical proficiency with developing applications specifically for AWS and Azure Cloud hosting environments
- Experience with Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) tools, and enterprise architecture tools
- Deep understanding of OWASP Top 10 and SANS Top 25 vulnerabilities
- Strong experience with data visualization concepts and tools
- Ability to analyze data using Excel including use of complex Excel macros / scripts for reporting purposes; some development experience is preferable
- Experience with Veracode (or other SAST/DAST tools), Jira, ServiceNow, and Splunk is preferable
- CISSP, GIAC, CISA, CISM, TOGAF certifications preferable
- Ability to work individually and as part of a team
- Strong written and oral communication skills
- Strong presentation skills; ability to adjust message and filter details based on audience (e.g. technical, business, management)
Moody's is an essential component of the global capital markets, providing credit ratings, research, tools and analysis that contribute to transparent and integrated financial markets. Moody's Corporation (NYSE: MCO) is the parent company of Moody's Investors Service, which provides credit ratings and research covering debt instruments and securities, and Moody's Analytics, which offers leading-edge software, advisory services and research for credit and economic analysis and financial risk management. The Corporation, which reported revenue of $4.2 billion in 2017, employs approximately 11,900 people worldwide and maintains a presence in 41 countries. Further information is available at www.moodys.com.
Moody's is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, protected veteran status, sexual orientation or any other characteristic protected by law.
Candidates for Moody's Corporation may be asked to disclose securities holdings pursuant to Moody's Policy for Securities Trading and the requirements of the position. Employment is contingent upon compliance with the Policy, including remediation of positions in those holdings as necessary.