Description

The Security QA Team is a core function of Enterprise QA’s non-functional team and is primarily responsible for establishing and guiding the Application Security Testing Program within TD Ameritrade.  These activities include penetration testing, software security scanning, vulnerability management and remediation, automating security testing, and the education of TDA software developers and other testers in security best practices.

1. Conduct software security testing, including penetration testing, to identify security vulnerabilities as a result of security bugs, coding errors, omissions, and defects
    
2. Ensure security of software produced or procured by TDA to prevent loss, inaccuracy, alteration, unavailability, or misuse of data
    
3. Introduce automated testing of fixed vulnerabilities into TDA’s continuous delivery/continuous integration processes and procedures
    
4. Constantly monitor new security research findings. Understand, learn and then apply new techniques, attack vectors and vulnerability types into the Security QA program at TDA
    
5.  Define enterprise risk management and governance approach for SQA controls
    
6. Partner, guide and inspire development teams to address security concerns.
    
7. Partner with other teams to integrate software security scanning and testing into TDA’s software development, build and testing programs
    
8. Develop, mentor and train application developers and SQA staff in application security best practices and secure coding
    
9. Review, inspect and walk through source code to help developers understand vulnerabilities and provide advice to developers on remediation
10. Develop application specific threat models to identify security design flaws and provide guidance on application specific risks and controls. (complex to highly complex)
11. Introduce new technologies for scanning vulnerabilities and work with application developers to ensure they are integrated and used consistently
     
12. Design the strategy, standards, and architecture for the security aspects of the SDLC including application, mobile, web service, DevOps, cloud, and CI/CD efforts. 
     
13. Provide indicators and reports used help assess control effectiven

Required Skills:

1. Bachelor’s degree in Computer Science, Computer Engineering or a closely related IT field
2. 7 years total related experience
3. Web application penetration testing and software test/development background
4. 5+ years of enterprise software development / testing experience.  Java programming skills including knowledge of JSSE and other security features is preferred.  Experience with NET/ASP/C# also a plus
5. Development experience with Java programming skills including knowledge of JSSE and other security features
6. Working knowledge of Java development environment including tools and framework used by developers, develops and testers (e.g. Eclipse, Spring, Jenkins, Maven, Jira, Selenium) 
7.  Solid understanding of a variety of software security practices, secure code reviews, vulnerability scanning methods, threat modeling, security requirements analysis and architectural risk analysis
8. Experience in leading the creation and adoption of enterprise security testing tools.
9. Experience working with development teams to define alternatives and recommending optimal solutions to meet security requirements in the design of new/enhanced systems.
10.  Expert knowledge in application vulnerability types, attack vectors and remediation approaches
11. Expert knowledge in DAST solutions and techniques.
12. Familiarity with SAST solutions and techniques.
13. Industry best practices for secure software development & testing as well as web application security; including IAST and RAST technologies.
14. Experience with continuous delivery/continuous integration processes and procedures including implementing critical security considerations in automated workflows.
15. Knowledge of web application full-stack architecture and network models.
16.  Demonstrate technical competency in security engineering based on hands-on experience or relevant qualifications.
17. Understanding of the IP protocols and associated security mechanisms: TCP/IP, HTTP, SSL/TLS, PKI.
18. Familiarity with well-known application security sources and standards such as OWASP, WASC and NIST and CVE.
19.  Experience with developing security testing software to aid in testing and automating dynamic application security testing.
20. Understanding of automation development and techniques.
21.  Have the ability to positively influence the behavior of peers and build relationships with other teams without direct authority over those teams
22. Extensive applied knowledge with dynamic analysis tools and hacking tools
23. Experience performing software security architecture, design and requirements analysis for large-scale enterprise systems
24.  Experience leading enterprise deployment of application security tools, services and controls
25. Information Security and control certifications preferred (CISSP, GPEN, GWAPT, OSCP, CEH, etc.)
26. Military education or experience may be considered in lieu of civilian requirements listed