Listing Description
The Team:
S&P Ratings Security team focuses on protecting our clients and users from all aspects of modern-day security threats. The mission of our team is to safeguard systems and data by developing innovative solutions for the biggest security challenges. We are passionate problem solvers with deep security expertise.
Responsibilities and Impact:
We are looking for a Lead security engineer responsible for security testing including penetration tests, vulnerability scanning, threat assessments, attack simulations, and red/purple team assessments to enhance security of S&P Ratings Applications and Services.
This position is a technical lead role with an opportunity to utilize their expertise in open-box penetration testing, threat modeling, mixed closed and open-box application security analysis, and vulnerability assessment. This position will collaborate with software development teams, DevOps, and SRE to drive security in to how we design, build, deploy, and operate applications. Responsibilities include mentoring junior engineers and maturing the team’s capabilities and processes.
A successful candidate for this position will:
- Security/penetration test web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques
- Build scripts, tools, or methodologies to enhance offensive security testing
- Have expertise with different types of vulnerability assessment tools or related experience in vulnerability detection DAST/SAST tools
- Employ advanced techniques including reverse engineering, fuzzing, and conduct research to identify new and novel attack vectors
- Possess sound knowledge of common infrastructure and web application vulnerability categorizations such as CVE, CVSS, CWE
- Experience in analyzing, identifying, and developing remediation plans for vulnerabilities
- Sound understanding of application & web-based attacks
- Exploit development background who can discover new vulnerabilities in the systems and applications
- Understanding of how applications, cloud networking, operating systems, and databases work to design new attacks
- Analyze findings from a variety of application security tools (DAST, SAST, SCA, Credential Scanning) to secure web applications during development and production run-time
- Effectively communicate findings, attack paths, and recommendations, and strategy to technical and executive client stakeholders through written reports and verbal presentations
- Demonstrate risk of detected issues to both technical and non-technical audiences, recommend code changes to eliminate vulnerabilities
- Automate security testing at various stages within the CI/CD pipeline
- Develop secure coding standards and training across multiple application frameworks and technologies to address security-test findings
Compensation/Benefits Information: (This section is only applicable to US candidates)
S&P Global states that the anticipated base salary range for this position is $105,000 to $200,000. Final base salary for this role will be based on the individual’s geographic location, as well as experience level, skill set, training, licenses and certifications.
In addition to base compensation, this role is eligible for an annual incentive plan.
This role is eligible to receive additional S&P Global benefits. For more information on the benefits we provide to our employees, please click here.
Basic Qualifications:
- Bachelor’s Degree in Computer Science, Information Systems, or equivalent work-related experience
- Minimum 8 years total experience in a technical role such as security engineer with software development experience
- Design, implementation, and operation of a secure software development lifecycle
- Experience with web application security/penetration testing and common attack vectors
- Experience with secure application development
- Experience with defense-in-depth strategies to help mitigate existing risk within applications
- Software development experience in a common programming language: Java, Python, C#
- Scripting/programming skills - Python, PowerShell, GoLang, Perl, JavaScript, .NET, API Integration
- Security tooling automation in CI/CD pipelines and IDE interfaces including Static Application Security Testing (SAST) and Static Application Analysis (SCA) solutions, Dynamic application security testing (DAST)
Additional Preferred Qualifications:
- Experience reproducing proof of concept exploitation steps
- Deep application security knowledge, with the ability to map an application vulnerability to exploitation indications and relevant investigative techniques
- Familiarity with standardized penetration testing and red teaming standards and procedures, such as NIST SP-800-115 and TIBER-EU.
Right to Work Requirements:
This role is limited to persons with indefinite right to work in the United States.
Return to Work:
Have you taken time out for caring responsibilities and are now looking to return to work? As part of our Return to Work initiative, Restart, we are encouraging enthusiastic and talented returners to apply, and will actively support your return to the workplace
Listing Details
- Salary: $105000 - $200000
- Citizenship: Not Provided
- Incentives: Bonus
- Education: Not Provided
- Travel: No Travel
- Telework: Full Telecommute