Lead Secure Development and Threat Modeling
We're seeking a skilled Chief Software Security Architect to lead the integration of secure development practices across our software development lifecycle (SDLC) in both cloud and on-prem environments.
Main Responsibilities:
* Secure Development Lifecycle Integration: Develop and implement security into continuous integration/continuous deployment (CI/CD) pipelines using modern automation and guardrails.
* Secure Frameworks and Integrations: Design, develop, and integrate secure frameworks, software development kits (SDKs), and CI integrations to enable frictionless adoption of security controls.
* Coding Standards and Guidance: Maintain secure coding standards and provide tailored guidance for our technology stack.
* Container and Infrastructure Security: Collaborate with DevOps and platform teams to enhance container and infrastructure security using Docker, Kubernetes, and infrastructure as code (IaC).
Threat Modeling, Reviews, and Remediation:
* Threat Modeling Workshops: Lead threat modeling workshops across product and platform teams to identify potential security risks.
* Vulnerability Assessment: Identify and assess vulnerabilities using static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), manual code reviews, and penetration testing.
* Remediation Patterns: Promote reusable remediation patterns for code and infrastructure vulnerabilities.
* Threat Intelligence: Leverage threat intelligence to prioritize mitigations based on business risk.
Engineering and Automation:
* Automation Tools: Build and maintain automation tools for vulnerability triage, mitigation, and reporting.
* API Security: Strengthen API security through robust authentication protocols, such as OAuth 2.0, OpenID Connect, and SAML.
* API Gateway Integration: Integrate with API gateways, like Layer7 and MuleSoft, to enforce secure communication and tokenization.
* Microservices and Distributed Systems: Support secure deployment of microservices and distributed systems using best-in-class tooling.
Security Culture and Enablement:
* Mentorship: Mentor engineers and analysts, fostering secure development capabilities across teams.
* Workshops and Training: Lead internal workshops, onboarding sessions, and lunch-and-learns to promote security awareness and education.
* Advocacy and Expertise: Collaborate with Security Champions to build advocacy and threat modeling expertise within the organization.
* Documentation and Playbooks: Create internal documentation, playbooks, and training materials aligned with real-world threats and security best practices.