Tech Risk - Secure SDLC

    • Dallas, TX



Business Unit Overview

Led by the Chief Information Security Officer (CISO), Technology Risk secures Goldman Sachs against hackers and other cyber threats. We are responsible for detecting and preventing attempted cyber intrusions against the firm, helping the firm develop more secure applications and infrastructure, developing software in support of our efforts, measuring cybersecurity risk, and designing and driving implementation of cybersecurity controls. The team has global presence across the Americas, APAC, India and EMEA. Within Technology Risk, Advisory is the consultative and technology subject matter expertise arm, responsible for assessing new technology initiatives for risk, partnering with engineers to architect and design secure products and services, embedding implementation reviews as part of the SDLC and CI/CD pipeline via code analysis and penetration testing, and guiding technology innovation in terms of security and control across Goldman Sachs. The team plays a critical role in designing and assessing controls for our transition to building native public cloud applications.

Role

In this role, you will You will join Global Application Security team within Technology Risk, a team that is responsible for the identification of Security flows in the firm's software asset portfolio, along with providing security assurance advices and guiding the engineers into manage application risks. You will interact with all parts of the firm giving you the opportunity to grow within the Technology Risk team itself, but also gain the breadth of experience and knowledge to facilitate future career moves into risk & control management roles in other divisions within the firm

The ideal candidate should have experience of integrating software security controls within continuous deployment SDLC and the ability to review the findings and tune the pipeline to facilitate user experience and in the same time to increase the value of the security controls in SDLC.

RESPONSIBILITIES AND QUALIFICATIONS

Job Responsibilities:

You will become a highly committed trusted Risk Advisor with the discipline and interpersonal skills to work in a global environment communicating the impact of technology risks and the approach to mitigation/acceptance. You will provide Technology Risk Advisory risk assessment and advisory services to engineers as part of the EMEA Technology Risk function, including:

  • Driving adoption of embedded application security controls within Software Development Life Cycle (SDLC)
  • Architect and Engineer automated security testing solutions in DevOps firm-wide
  • Lead the team and the program of Static Application Security Testing program (SAST)
  • Engineer tools and solution that will facilitate the adoption of security controls
  • Product evaluation for new solution that can benefits the Secure-SDLC program
  • Review and provide advice and consultation to business owners for the security defects identified
  • Work with engineers to develop customized security testing strategy to complement the existing security testing program managed by Technology Risk
  • Communicate/Present/Promote the need and the vision of Secure-SDLC and Application Security
  • Strong accountability of the User Experience imposed by DevSecOps firm wide


Basic Qualifications:

You will have a minimum of 2 years' experience in information security or related fields and risk analysis techniques. You will use your strong technical, interpersonal, organizational, written and verbal communication skills to interact with your internal clients locally and globally. Your knowledge of Application Security, Risk Analysis and Risk Management techniques, methodologies and governance will enable you to be an active member of the team along with your professional experience in one, or more, of the following disciplines:
  • Secure software development practices and frameworks
  • Secure Code Review and Application Security assessment
  • Understanding of common application security vulnerabilities and controls to remediate.
  • Ability to engage technical client base of engineers and communicate security requirements, potential risks and influence development practices
  • Good knowledge of one programming language: Python, NodeJS or Go
  • CI/CD Knowledge: Jenkins, BitBucket CI, Bamboo, GitLab CI, Travis CI, Circle CI, AWS Code Commit and Deploy (or similar)
  • DevSecOps solutions (at least one tool from each domain)
  • Static Application Security Testing - SAST
  • Dynamic/Interactive Application Security Testing - DAST/IAST
  • Software Composition Analysis - SCA
  • Containing Security
  • Mobile Security


Preferred qualifications:
  • Medium-scale technical program management skills
  • Cloud Security applications (monitoring and preventing controls)

#techriskcybersecurity

ABOUT GOLDMAN SACHS

The Goldman Sachs Group, Inc. is a leading global investment banking, securities and investment management firm that provides a wide range of financial services to a substantial and diversified client base that includes corporations, financial institutions, governments and individuals. Founded in 1869, the firm is headquartered in New York and maintains offices in all major financial centers around the world.

ABOUT GOLDMAN SACHS

The Goldman Sachs Group, Inc. is a leading global investment banking, securities and investment management firm that provides a wide range of financial services to a substantial and diversified client base that includes corporations, financial institutions, governments and individuals. Founded in 1869, the firm is headquartered in New York and maintains offices in all major financial centers around the world.

© The Goldman Sachs Group, Inc., 2020. All rights reserved Goldman Sachs is an equal employment/affirmative action employer Female/Minority/Disability/Vet.


Back to top