Lead Application Security Engineer

Overview:

As the Lead Product Security Engineer at M&T Bank, you will support and participate in the building and implementation of software security controls in all stages of the product development life cycle. This role will offer you the opportunity to be involved with a wide range of responsibilities in transforming the software security culture and technologies. We are looking for a highly motivated, talented, and hands-on engineer who will be responsible for identifying and mitigating software vulnerabilities through code reviews, security assessments, threat modeling, and providing secure coding guidance to software engineers. This role is integral to our technology transformation journey, ensuring the security posture of our bank-wide infrastructure and products.

This role is based in Buffalo, New York with hybrid work model of 3 days per week in the office.

Primary Responsibilities:

• Collaborate with cross-functional teams to integrate security measures into the software development process including conducting code reviews, secure code guidance, threat modeling

• Stay up to date on emerging threats and vulnerabilities, and proactively recommend security enhancements.

• Partner with engineering teams and provide guidance and support to developers on secure coding practices and security best practices.

• Mentor product security engineers and DevSecOps professionals to ensure a strong security posture across all software development and deployments.

• Assist in the development of software security processes, configuration of tools, and management of solutions to tactically address software security vulnerabilities.

• Build and support high quality security documentation for product security best practices.

• Utilize product security scanning tools to track, analyze, and manage vulnerabilities.

• Develop analytics to evaluate and enhance the effectiveness of the vulnerability management program including, tools, technologies, policies.

• Communicate effectively with all levels of organizational leadership, conveying complex technical concepts in a clear and concise manner.

Education and Experience Required:

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity or applicable discipline and a minimum of 5 years of relevant work experience.

• Demonstrable experience developing and maintaining automation for product security tasks and defect identification.

• Advanced knowledge with industry standards and frameworks such as OWASP, ISO 27001, GDPR, PCI DSS, and NIST.

• Advanced experience with security testing tools and techniques and fixing vulnerabilities.

• Strong background in cybersecurity, manual code review, static/dynamic code analysis, threat modeling, bug bounty research and vulnerability management. • Experience with at least 2-3 of the following programming languages – Java, C#, JavaScript, Python, PHP, Ruby, Scala.

• Hands-on experience with product security tools and exploit tools and methods.

• Hands-on experience with product security testing tools such as SAST, DAST, IAST, SCA, and SBOM as well as experience with DevOps technologies such as CI/CD pipelines, repos, etc.

• Excellent communication and leadership skills.

• Capable of working on multiple projects of a complex nature

• Excellent problem-solving skills to assist in issue resolution.

• Detail-oriented with excellent verbal and written communication skills, with prior experience presenting to the target audience.

• Excellent organizational, teamwork, and time management skills

• Strong vertical thinking skills.

• Experience recommending and implementing security solutions.

• Experience driving project milestones and delivery dates.

• Proven mentoring and leadership capabilities.

Education and Experience Preferred:

• Cyber security certifications in the domain of product security or penetration testing (such as GWAPT, GCPEN, OSCP, CSSLP, CCSP).

• Proven experience in software development including architecture review & secure coding.

• Familiarity with mobile security testing.

• Strong understanding of mainframe, web productarchitectures, security protocols, and encryption.

• Familiarity with cloud security principles and practices.

• Experience running a bug bounty program.

• Knowledge of Cloud platforms such as AWS, GCP, Azure, Oracle.

Location