Senior Manager Application Security

"I can succeed as Senior Manager Application Security at Capital Group."

We are looking for collaborative, curious, and passionate people to join our Application Security team. The team will need to build enduring processes with innovative technology. We seek to improve the safety of customer data, provide innovative, yet seamless security services to the company, contribute to the community, and create long lasting relationships.

As Application Security Lead you will head our application security engineering team, leading a team of highly skilled application security engineers whose principal mission is to assess and oversee the application security posture of Capital Group's production services and code. You will work closely with our development teams to define application security tooling and platform requirements and help us scale the traditional application security model of finding vulnerabilities manually to a fully automated and autonomous system. You will be able to take advantage of this unique opportunity to make real positive impacts to our security posture, lead the strategic direction and evolution of our application security team, and help us improve our security designs in our next gen of systems and services.

Along with leading the team, you will be responsible for analyzing information security systems, applications, and application development processes and finding vulnerabilities and areas for improvement. You will also recommend and develop security measures to protect information against unauthorized modification or loss and coordinate with development teams or third parties to fix system/application vulnerabilities or deficiencies. You and your team will review not only technical implementations but also designs, architectures, processes, and operational procedures.

Your responsibilities will include:

• Lead, manage, recruit, and develop our geographically distributed application security team. Mentor and teach junior engineers.

• Manage a team that designs, builds and deploys SDLC automation services to scale the identification, prioritization and remediation of security findings and bugs across all company apps and microservices.

• Work with product teams throughout the company to provide security guidance to application and service owners to remediate known application security vulnerabilities.

• Develop, implement, and continuously update threat models for Capital Group's applications, architectures, and systems

• Use threat modeling, vulnerability scanning, code testing, and industry best practices to reduce and eliminate attack vectors and vulnerabilities in our applications, processes, and systems prior to deployment to production

• Continuously streamline the security testing process from beginning to end.

• Act on escalated issues, also providing recommendations when issues need to be further escalated.

• Partner with other engineering teams to improve SDLC processes and deliverables.

• Be a subject matter expert and ambassador to engineers and developers for secure coding practices, and all aspects of applications security

• Assist in the development and integration of security automation and DevSecOps.

• Be a subject matter expert and ambassador to our engineers and developers, for secure coding practices, and all aspects of application security.

• Bring new ideas (testing methodologies, automation processes, engagement processes, monitoring/tracking systems, testing tools).

• Update and improve existing SDLC policies and procedures.

• Manage time and priorities for the team by prioritizing, directing effectively and focusing on optimal allocation of team resources.

• Create quality written work products and engineering artifacts for both technical engineering and non-technical consumers

• Navigate successfully through ambiguous situations, helping others remain focused on achieving results

Skills and qualifications:

• Prior experience leading application security teams and programs.

• Prior experience leading teams over multiple locations.

• Deep understanding of secure development technologies, processes, and methodologies and cloud deployment strategies and architectures.

• Comprehensive knowledge, experience, and understanding of testing for the OWASP Top 10, and CWE 25, including PoCs, automating attacks, and secure code remediation.

• Strong understanding of Software Security Architecture and Design, SDLC, CI/CD, and the ability to clearly articulate best practices for application security.

• Ability to evaluate, deploy, and manage application security tools (e.g. DAST, SAST, IAST, RASP, WAF) and build strong vendor relationships.

• Familiarity with deployment of application architectures within AWS and Azure public cloud providers

• Have a formal knowledge of typical application security attack vectors, exploits and mitigations, and be able to translate and classify pen-test and assessment findings into actionable application security bugs for engineering.

• Strong Fundamentals of Systems and Software Architecture

• Experience with API security, secure design and threat modeling

• Application, Network, or Hardware Pen testing experience. Experience with release and supply chain integrity.

"I am the person Capital Group is looking for."

• You have a bachelor's degree or higher in Computer Science, Information Security or other technical area

• You have at least 8-10+ years of experience in application security and development, preferably in the financial sector, including 4+ years of management experience.

• Minimum 2 years relevant architecture experience with expert level knowledge of application systems design and integration.

• You have previous application security testing experience, including presenting and documenting vulnerabilities, findings or incidents.

• You listen for nuances, dig into details to understand systems deeply, and articulate technical details and risks to business leaders.

• You understand and can negotiate tradeoffs between security requirements and usability

• You communicate technical security requirements and issues clearly, and empower others to make security decisions

• You know when to take a technical challenge on yourself, gain support, and delegate aspects of the work

• You can problem solve and make complex analytical decisions with less than full information in ambiguous situations and environments

• You are self-directed, very proactive, and adept at multitasking.

• You have a personal passion for security and cutting-edge security concepts.

Preferred Qualifications:

• CCSP, CISM, CISSP certification

• Familiarity with industry standards and regulations such as ISO 27001/2, FFIEC CAT, NIST CSF.

• Experience writing in one or more of the following programming languages: C/C++, Java, Ruby, Python, and JavaScript.

‎
Southern California Base Salary Range: $184,252-$313,228
‎
San Antonio Base Salary Range: $165,933-$282,086
‎
San Francisco Base Salary Range: $203,168-$345,386
‎
New York Base Salary Range: $195,333-$332,066
‎

‎

‎

‎

In addition to a highly competitive base salary, per plan guidelines, restrictions and vesting requirements, you also will be eligible for an individual annual performance bonus, plus Capital's annual profitability bonus plus a retirement plan where Capital contributes 15% of your eligible earnings.

You can learn more about our compensation and benefits here .

We are an equal opportunity employer, which means we comply with all federal, state and local laws that prohibit discrimination when making all decisions about employment. As equal opportunity employers, our policies prohibit unlawful discrimination on the basis of race, religion, color, national origin, ancestry, sex (including gender and gender identity), pregnancy, childbirth and related medical conditions, age, physical or mental disability, medical condition, genetic information, marital status, sexual orientation, citizenship status, AIDS/HIV status, political activities or affiliations, military or veteran status, status as a victim of domestic violence, assault or stalking or any other characteristic protected by federal, state or local law.