The Technology Risk team protects the systems and data of our firm and our clients, equips our people with understanding and tools to measure risk and enable the use of technology, and evangelizes controls monitoring solutions. The team encompasses Information Security, Governance, Measurement and Security and Incident Response. The global Technology Risk team currently has presence in New York, London, Tokyo, Bangalore, Hong Kong, Zurich, Moscow, Dallas and Beijing. It covers all technology and business areas including subsidiaries and affiliates globally.
Technology Risk Advisory delivers best in class advisory support and technology solutions across the Information Security risk domains, including scalable uplifts of common core security solutions for use across Goldman Sachs. As a Risk Advisor, you will be part of or oversee a technical team that is responsible for assessing and managing the portfolio of risks for Divisionally aligned products. You are expected to have a working knowledge of the products you support, and provide technical design consultancy services as needed. Your team will be responsible for all assessments, including, Design / Architecture Reviews, Manual Code Reviews, Penetration Testing, and Continuous Monitoring / Scanning. The ideal candidate should possess the aptitude to build coalitions across teams / product owners, educate counterparts on secure development practices and work collaboratively to drive down risk.RESPONSIBILITIES AND QUALIFICATIONS
HOW YOU WILL FULFILL YOUR POTENTIAL
Support the Technology Risk Advisory function by leading a group of highly technical staff that assess risk, identify risk and advice on risk.
SKILLS AND EXPERIENCE WE ARE LOOKING FOR
Examine application state machine to validate assumptions and identify vulnerabilities
Should have a solid understanding of security controls and how they apply to different designs and systems.
Understand, highlight and articulate risk to product owners in an understandable language.
Present alternate designs to the teams in order to help them reduce risks.
Experience in application vulnerability assessment and penetration testing of web, thick-client, or mobile applications.
Experience managing a technical team or project, and liaising with product owners to manage risk portfolios.
Working knowledge of application security tools such as fuzzers, scanners, debuggers, decompilers, proxies, simulators, etc.
Familiarity with common web stack technologies (e.g. HTTP, HTML5, AJAX, REST, etc.) and platforms (e.g. DropWizard, AngularJS, Tomcat, .Net, Sybase, MS SQL, MongoDB, etc.).
Understanding of core cryptography concepts (encryption, hashing, HMAC, digital signature) and how they are applied and attacked in web applications (e.g. TLS attacks, CBC attacks).
Ability to analyse protocols, flows and interactions in a design to evaluate gaps.
min 5 years of relevant work experience.
Proficient verbal and written communication skills.
Expert knowledge of network, application and operating system security risks.
Medium-scale technical program management skills.
Bachelor of Science in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security is preferred.
Experience or training in related disciplines e.g. computer science, computer security, software development, system design, open source frameworks, encryption schemes, etc.