Secure Software Development:

• Integrating security into SDLC: Ensure information security requirements are incorporated into every phase of the Software Development Life Cycle (SDLC), from design and development to deployment and maintenance.
• Secure coding practices: Enforce secure coding practices across development teams, ensuring that developers adhere to best practices for writing secure code.
• Code reviews: Conduct and support manual or automated code reviews, focusing on identifying potential vulnerabilities such as SQL injection, cross-site scripting (XSS), and buffer overflows.

Security Testing:

• Penetration testing: Perform regular penetration tests on applications to uncover exploitable vulnerabilities and identify weaknesses that could be targeted by attackers for various fintech products and services.
• Security testing automation: Implement automated security tests (e.g., static code analysis, dynamic application security testing (DAST), interactive application security testing (IAST)) into CI/CD pipelines.
• Security audits: Conduct periodic security audits to verify the adherence of applications to security best practices and regulatory standards (QCB, NIA, PCI DSS, ISO 27001).

Vulnerability Management:

• Identify vulnerabilities: Use static and dynamic analysis tools, manual testing, and penetration testing techniques to identify and prioritize vulnerabilities in fintech applications, payment systems, banking platforms and mobile wallets.
• Prioritize and remediate: Work with development teams to prioritize and resolve vulnerabilities, ensuring that critical vulnerabilities are fixed as quickly as possible.
• Track vulnerabilities: Continuously monitor, track, and document vulnerabilities through a central management system to ensure they are addressed within a timely manner.

Threat Modeling and Risk Assessment:

• Conduct threat modeling: Perform threat modeling exercises, identify potential attack vectors, and assess the security posture of applications inline with the changing threat landscape of a fintech application.
• Risk assessment: Analyze security risks based on identified vulnerabilities and assess the potential business impact of exploitation.

Incident Response and Remediation:

• Incident response: In the event of an application-related security incident or breach, take lead in investigating, containing, and remediating the issue.
• Post-incident analysis: Conduct post-mortem analyses of incidents to identify root causes, improve security practices, and prevent future occurrences.

Compliance and Standards Adherence:

• Regulatory compliance: Ensure that applications meet relevant security standards and compliance requirements (e.g., QCB, NIA, PCI-DSS, ISO 27001).
• Security frameworks: Implement security frameworks such as OWASP Top 10, SANS CWE, and NIST to guide secure application design and development.

Tooling and Automation:

• Security tool management: Select, configure, and manage security tools for code scanning, vulnerability management, and penetration testing (e.g., static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA)).
• CI/CD pipeline integration: Integrate security testing into the CI/CD pipeline to automate security checks and prevent vulnerabilities from reaching production environments.

Minimum Experience, Essential Knowledge & Skills

• 10 years’ experience in Application Security
• 5 years’ experience with a Financial organization in similar capacity is preferred

Preferred Qualifications (if any)

• Certified Information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)
• Offensive Security Certified Professional (OSCP)
• Certified Cloud Security Professional (CCSP)