The AWS Cloud Security Technical SME is responsible for the analysis, evaluation, and execution of an ideal application security offering that integrates development activities, information security, and the automated release methods within the CI/CD pipeline. Ultimately, the successful candidate has a strong sense of development lifecycles and information security.

 

Responsibilities:

 

From an Information Security interest, this role is expected to fully grasp the concepts behind security controls and how they apply to application development, secure infrastructure, and CI/CD environments. This individual is accountable for identifying weaknesses in our security posture within the application or web space while defining methods to achieve security control requirements via automation or highly efficient means that further support timely delivery and minimal overhead. Other key responsibilities include:

 

·       Critical thinking and analysis in the security discipline space is essential, as this role will take the approach of identifying root cause of information security exposure across the enterprise, with or without obvious indicators of exposure.

·       Partnering with teams across the IT organization and helping to influence decisions which lead to a high standard of security.

·       The secure design, architecture, and implementation of new applications. This includes secure software development lifecycle (SDLC) practices which incorporate threat modeling and security testing.

·       Define and publish Application Security standards in a practical and consumable format. Ensure compliance with applicable security controls when writing such standards.

·       Present recommendations for review and validation with VP and CISO.

·       Conducting technology research for innovation, continuous improvement, and knowledge sharing for the Application Security space. Develops a subset of the technology strategy as a result of this research.

·       Teach, enable, and advocate key Architecture and Technical principles and implementation across all engineers inside the Product Engineering Organization.

·       Organizing training to improve employees’ knowledge and skills for future organizational growth as it relates to Architecture principles and standards.? 

·       Assist in the development of training for all personnel related to the Application Security space. 

·       Contribute to talent acquisition and upskilling in area of expertise.

 

Qualifications:

 

As the focal person for Cloud Security, the individual will have robust training, experience, and background in both Information Security and the Application Development lifecycles/approaches/languages / and tools. Qualifications include:

·       Bachelor’s Degree in Computer Science (related) or equivalent experience as a hands-on AWS Cloud security architect/senior security engineer.

·       Previous experience in defining organization-wide security processes and methodologies, a proven leadership/influence style, customer-service oriented demeanor, problem-solving, effective reporting via metrics and indicators, and strong communications are all essential to this function.

·       Manage full application stacks from the OS through custom applications using Amazon cloud-based computing environments.

·       Work closely with the architect and engineers to design networks, systems, and storage environments that effectively reflect business needs, security requirements, and service level requirements.

·       10+ years of IT Security Experience. Industry certifications are a plus (i.e. CISSP, CEH, GPEN etc).

·       Highly technical and analytical expertise, with a proven deep background in security technology design, implementation, and delivery. This individual must be comfortable providing metrics, analysis, and quantitative/qualitative evidence when necessary to drive a security outcome.

·       The ability to code is a mandatory skill (this qualification is non-negotiable). Of particular importance is the ability to work with Delivery Infrastructure coding (e.g. Terraform, other required scripting such as Python), along with languages such as Java and Kotlin.

·       A comprehensive understanding of typical exploits and associated implications is essential to ensure observations and findings can be not only remediated but treated in accordance with the risk-ranked potential impact.

·       Understanding of frameworks such as MITRE ATTACK and OWASP ASVS. Understand how to implement these into an Application Security program and assess the application threat landscape. Be able to use these frameworks in communication with stakeholders.

·       Ability to identify appropriate findings in vulnerability scan results and communicate with development teams on how to best remediate.

·       Understand Authorization Policy as Code practices and be able to "write" such policy as code. Possess the knowledge and ability to create Security Automations on AWS.

·       Understand OIDC/OAuth/SAML architecture and use patterns.

·       Demonstrated understanding of good software design/architecture principles.

·       Demonstrated coaching/teaching skills for small teams and individuals.

·       Ability to create training plans and materials for technical people.

·       Strong quantitative, analytical, problem-solving skills, including the ability to accumulate, organize and assimilate large amounts of information. 

·       Ability to work independently, plan, and prioritize work to meet commitments aligned with organizational goals. 

·       Ability to lead/co-lead Risk Assessments and Security Reviews.

·       Ability to lead the technical aspects of an Incident Response.

·       Experience designing and building web application environments on AWS, including services such as EC2, S3, ELB, RDS, etc

·       Experience with DevOps tools such as Jenkins, Maven, GitHub, Ansible, Artifactory, Sonar Qube in a cloud environment.

·        Experience with Linux and Windows Server system administration.

·       Experience with installing and configuring application servers such as WebLogic, JBoss and Tomcat.

·       Ability to create and utilize AWS Cloud Formation templates to automate creation of AWS images

·       Proficient in developing scripts and scripting languages.

·       A team player capable of high performance, flexibility in a dynamic working environment and the ability to lead.

·       Skill and ability to train others on technical and procedural topics.

 

Additional:

·       The AWS Cloud Lead will engage with Engineering leaders, Architects, Administrators, Engineers, Project and Program managers to educate, coach, advise, and improve the skills of people across the organization. 

·       AWS Certified Solutions Architect Associate preferred

·       AWS Certified Solutions Architect Professional preferred

·        Experience with technologies to include: AWS, Linux, and Puppet,

·       3 to 5 years of demonstrated experience in designing and developing complex distributed IT solutions (e.g. cloud, distributed systems or high-performance computing experience).

·       Usually functions with high autonomy; require occasional guidance.

·       Requires a high level of initiative. Provides technical guidance and consultation to other architects and engineers.

·       Informs better decision making at all levels of the technology organization.

·       Reports directly to the VP in the Security and IT Organization.

·       Demonstrated experience with geographically distributed teams in a matrixed environment.

·       Additional insights, experience or background in any of the following are also of great value: NIST, ISO 27001, Java Development, Kotlin, Static Code Analysis, Dynamic Code Analysis, Penetration Testing and Vulnerability Scanning, AWS, Containers and Micro-Services, CI/CD Pipelines, Agile, Sprints / Scrum Masters, GitHub, Black Duck