Associate Principal, Security Engineering

What You'll Do

This is a Development Security Operations (DevSecOps) position with an emphasis on the integration and operation of a container application security platform within the on-premises Enterprise. The candidate will work closely with other members of the Security Services, IT Development and Quality Assurance teams to support application and software security initiatives, projects, and operations. 

Primary Duties and Responsibilities:

To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.

Responsibilities include the integration of runtime and container image scanning capabilities, agent deployment, on-premises back-end container scanning configuration, developing security policy for compliance and vulnerability management and Falco rule tuning.

Supervisory Responsibilities:

None

Qualifications:

The requirements listed are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the primary functions.

• Experience with CI/CD pipelines, application container/ microservices and software development/coding: Docker, Podman, Jenkins, GitHub, SVN, Terraform, Artifactory, Harness, Kubernetes and others.

• Highly motivated individual that assumes ownership of their projects

• Ability to act as a liaison between security and the development, IT, and QA teams.

• Strong desire and capacity to learn and support new technical applications

• Exceptional verbal communication skills that include the ability to articulate ideas clearly and concisely

• Ability to write clear and concise documentation

Preferred:

• Knowledge of security principles – Training and / or education preferred

• Experience working in the financial industry

Technical Skills:

• Working knowledge of Secure DevOps concepts and containers/microservices security

• Experience administering and interpreting results from container security scanning and monitoring tools

• Experience with configuring container image scanning policies such as with CIS benchmark for docker containers

• Knowledge of scripting languages including Java, C++, Python, JavaScript, Bash

• Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)

• Knowledge of security architecture design and principles including confidentiality, integrity and availability.

• Knowledge of automated code scanning tools (i.e.,) and development pipeline tools (i.e.,)

• Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).

• Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, Active Directory, and LDAP)

• General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)

• Fundamental understanding of endpoint security, network security, host intrusion detection/prevention and forensics

• Knowledge of (AWS, Azure, GCP) Cloud security concepts, best practices, and environments

Education and/or Experience:

• Bachelors degree in Cybersecurity, Computer Science, Management Information Systems, or related field or the equivalent combination of education and/or relevant experience

• Experience writing scripts and working with containers in a CI/CD pipeline

• At least 3+ year experience in Security-related roles or equivalent training/knowledge of security best practices and OWASP and NVD

• Experience with SDLC and working with business users, database analysts, system architects, etc., to identify and prioritize requirements

• Exposure to security architecture design through application development or knowledge of security concepts/best practices

• Previous work in development, architecture or quality assurance testing may be applicable to the position requirements.

Certificates or Licenses:

• Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)

• Cloud security automation certifications a plus (i.e. GCSA)

• Penetration testing certifications a plus (i.e. OSCP, GWAPT)

Who We Are

The Options Clearing Corporation (OCC) is the world's largest equity derivatives clearing organization. Founded in 1973, OCC is dedicated to promoting stability and market integrity by delivering clearing and settlement services for options, futures and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. OCC has more than 100 clearing members and provides central counterparty (CCP) clearing and settlement services to 19 exchanges and trading platforms. More information about OCC is available at www.theocc.com.

What We Offer

A highly collaborative and supportive environment developed to encourage work-life balance and employee wellness. Some of these components include:

A hybrid work environment, up to 3 days per week of remote work

Tuition Reimbursement to support your continued education

Student Loan Repayment Assistance

Technology Stipend allowing you to use the device of your choice to connect to our network while working remotely

Generous PTO and Parental leave

Competitive health benefits including medical, dental and vision