Security Engineer, Vulnerability Management

Purpose of the Job

The Security Engineer, Vulnerability Management is responsible for operating and maintaining security testing tools. In addition, the role performs security testing, provides security advisory services, and collaborates with technology and business teams to integrate security tools and processes into new and existing applications and cloud environments. The role's primary objective is to reduce risk of security vulnerability exploitation to the business while delivering a high level of satisfaction to internal customers by utilizing automated remedial tasks to improve operational efficiency.

Main Activities:

•Perform security testing using tools such as DAST, SAST, IAST, Mobile DAST, SCA, RASP, EASM, and CSPM.

•Provide security advisory services to technology and business teams in the realm of application and cloud/infrastructure security.

•Maintain application security and cloud security toolsets and ensure that they are up-to-date and functioning properly.

•Escalate outstanding application and cloud vulnerability mitigation requests as required. 

•Collaborate with development teams to ensure security is integrated into the development lifecycle

•Assist in the development of documentation for application security processes and procedures.

•Stay up-to date on the latest application and cloud security trends and technologies

Knowledge/Skill Requirements:

•  A college diploma or university degree is required. Higher accreditation (e.g. Bachelor of Computer Science) is preferred. 
• At least two years of information security experience.
• Strong understanding of Application Security concepts and best practices.
• Understanding of Vulnerability Management concepts and best practices.
• Experience of setting up and running scanning tools for IT Infrastructure and/or Applications Security Testing is required. 
• Experience of cloud environment is required.
• Understanding of CI/CD pipeline and approaches to automate security testing is an asset.
• The following certifications are an asset: CCSP, CCSK, CISM, CISSP, or CRISC. 
• Understanding and experience with PCI, MITRE ATT&CK, BSIMM, NIST, ISO 27K an asset. 
• Experience working in a banking or financial services environment is an asset. 
• Strong analytical and problem-solving skills.
• Excellent communication and interpersonal skills.




Accountability: 

• Reports directly to the Manager, DevSecOps & Infrastructure Security
• This position sets priorities for themselves
• This position is empowered to make decisions that impact their own position, however, there is decision-making involved relating to vulnerability management, which could have a potential impact on the overall reputation of the bank.
• It is unlikely the decisions made in this position would have a long-term performance impact to the bank.
• This position requires contact with suppliers, and potentially with other FIs through information sharing circles, like FS-ISAC. The nature of contact with suppliers is to troubleshoot issues with current products; to understand capabilities of new products. The nature of contact with other FIs is sharing information related to the cyber threat landscape and how to industry is adapting.