Lead Application Security Architect (Resident)

Working as part of a small, dedicated team embedded within a large and internationally recognized finance institution, the Lead Application Security Architect will help build a culture of application security into the development processes. You will work with multiple development teams and systems architects to advise on security requirements, perform risk assessments, architecture reviews and threat modelling exercises, as part of a program designed to transform ways of working. 

Essential duties & responsibilities

• Partner with multiple application development teams within client organization, to ensure secure development of applications.
• Develop a broad and deep technical understanding of applications, services and architectures pertaining to the client application organization.
• Interpret results from exercises such as code review and penetration testing stakeholders and advise on remediation and mitigation as well as incorporate learnings into future designs.
• Conduct architecture reviews, threat Modeling, design reviews, code review on web and mobile applications and web services as and when required.
• Develop documentation, and a knowledge base to be used by developers for implementing secure coding practices
• Research and maintain knowledge of changing landscape of application security, latest threats, and attacker tools, techniques, and procedures.
• Provide recommendations for missing application security controls and secure design patterns.
• Support and provide consultation to development teams in the areas of application security, cloud security, DevSecOps, mobile security.
• Act as subject matter expert and provide mentorship to junior team members.
• Develop and maintain strong working relationship with development teams, leadership, and product owners.
• Lead the efforts towards creation and successful functioning of an application security program for client.
• Lead long term initiatives of program such as automation, processes, and documentation.
• Occasional travel to client locations might be required.

Key Skills and Qualifications 

• Knowledge of common application security flaws, threat modelling, security controls and common security libraries
• Understanding of security engineering principles including cryptography, access control, system security, and security operations
• Experience working with Developer organizations
• Experience with code scanning (SAST, DAST) tools for Javascript, Java, and Python languages and relevant frameworks.
• Experience with thick client application security, mobile security and cloud security.
• Excellent communication skills (written and verbal) with an ability to explain complex topics in a clear and concise manner to both technical and non-technical audiences
• Basics to intermediate development and scripting skills in at least one programming language
• Knowledge of cloud services and cloud security controls
• Experience with pentesting (plus)
• Experience with code reviews (plus)

Optional

• Certifications such as GPEN, GXPN, GMOB, GWAPT, OSCP, OSWE, OSCE, OSWP, AWS, CNCF (not mandatory)

Founded in 1996, Claranet has evolved into a multi-disciplinary technology services provider with global reach. The company has annualised revenues of circa £400 million, over 6,500 customers, and more than 2,500 employees in nine countries. In the UK we have over 500 staff working in London, Gloucester, Warrington, Bristol, and Leeds, or as homeworkers.  

Claranet Cyber Security is a world class business unit within Claranet, giving customers access to market-leading information security services spanning, training, consulting, and managed security services. Formed through the combined forces of NotSoSecure, the UK Security Business Unit (previously known as Sec-1), and units in France and Portugal. 

NotSoSecure has a strong heritage of penetration testing, consultancy, and security training for leading worldwide brands, built on the quality of its technical team and excellent customer service. In recent years the team has expanded its consultancy and training services, including a range of application security offerings to help customer build more security applications by design.