Job Description

Position Summary

Application Security plays a critical role in ensuring the security of MetLife’s applications assets while protecting customer and MetLife data and is a top area of focus at MetLife. As part of Application Security team, we are responsible to support cybersecurity globally by helping the application development (AD) teams through the entire AppSec program by continuous and rigorous monitoring and testing of in scope applications to identify the security threats/vulnerabilities that may be exploitable and accordingly remediate, mitigate, or accept the risk as per MetLife Application Security policy and control standards.
The manager of the application security program will be responsible for:

• 
  Scanning Internet & Intranet accessible applications – SAST & DAST scans
• Perform Web and Mobile Application Ethical Hacking, threat assessments, Web Services penetration testing (RESTful and SOAP) using both automated and manual techniques
• Perform security tests on cloud networks, web-based applications/mobile-applications (Android & iOS)
• Use testing methods to pinpoint ways that attackers could exploit weaknesses in security systems
• Deploy and operationalize Runtime Application Self Protection (RASP) technologies
• Maintain knowledge of adversary Tactics, Techniques and Procedures (TTP), assess critical cybersecurity incidents and review detective/preventive controls across each stage of the Cyber Kill Chain
• Implement Application/Website inventory controls to support continuous monitoring of MetLife’s attack surface, identify threats, prioritize remediation, and report potential risks to the organization
• Integrating security tools, standards, and processes into the product life cycle (PLC)
• Improving and supporting application security tool deployments including Static Analysis and runtime testing tools
• Improving and maintaining secure development standards
• Managing annual penetration testing services, including both expert consulting and managed services
• Providing manual penetration testing and standards gap analysis services to internal business and technology partners
• Ensuring that developers and QA personnel are trained with appropriate level of security knowledge to perform their daily activities
• Supporting the incident response and architecture review processes whenever application security expertise is needed
• Managing application framework and perimeter security improvement projects
• Supporting Vendor Security activities to ensure 3rd‐party software and development meets MetLife security standards
• Integrating threat modeling practices into the product life cycle
• Providing security requirements for test‐driven design
• Producing metrics reporting the state of application security

Additionally, also focus on:

• Provide multi-disciplinary knowledge, skills and experience in Application security and management
• Perform vulnerability testing, risk analyses and security assessments
• Act as a consultant/advisor in presenting risk and mitigation controls to developers based on assessments
• Interact with clients in a collaborative consultative manner to deliver results, provide feedback and remediation recommendations on findings
• Act as your liaison to our external testing partners before, during, and after testing
• Create, manage and administer Veracode/User profiles for AD team members
• Onboarding and access provisioning for Information Security team members on Veracode, Primeon, and AppSec SharePoint site etc…

Job Responsibilities

• 
  Should have minimum 8+ years’ experience in Application Security field, secure code reviews and secure SDLC design
• Should have excellent understanding of common Web Application vulnerabilities like SQLi, XSS, CSRF, and HTTP Flooding
• Good experience in conducting Application level testing (SAST/DAST/AEH)
• Certified/Experience with Veracode, BurpSuite, Cyberpion, Signal Sciences, Nessus, NMap, etc. (preferably BurpSuite and Veracode SAST/DAST testing experience)
• Deliver client engagements in Application Security and Vulnerability Assessment/Penetration Testing
• Serve as the subject matter expert on number of security technologies and security centric standardizations
• Write and maintain technical documentation including design docs, test plans, project plans, procedures, incident reports and troubleshooting guides
• Participation in the daily planning, tracking, scheduling and execution of deliverables, management activities

Knowledge, Skills and Abilities

Education

• 
  IT Graduate
• Bachelor’s degree in Computer Science, Cyber Security or a related field
• Knowledge of Databases, Networks, Hardware, Firewalls and Encryption

Experience

• 8 years of overall industry experience with minimum 7 years of experience in Application Security field
• Must process problem solving, planning, and analytical skills to drive continuous improvements

Knowledge and skills (general and technical)

• 
  SAST, DAST, BurpSuite, Cyberpion, Signal Sciences scanning
• IDS/IPS, penetration and vulnerability testing
• Application security and encryption technologies
• Secure coding practices, ethical hacking and threat modeling
• ISO 27001/27002, ITIL and COBIT frameworks
• Windows, UNIX and Linux operating systems
• C, C++, C#, Java or PHP programming languages (preferred)
• Exposure to IT Archer Findings
• Exposure to enterprise share-point
• Intermediate MS Office skills

Other Requirements (licenses, certifications, specialized training – if required)

• Certifications – CIISP, GIAC Penetration Tester (GPEN), GIAC Certified Incident Handler (GCIH), GIAC Certified Forensics Analyst (GCFA), Certified Ethical Hacker (CEH), Offensive Security OSCP, OSWE or OSCE certifications preferred

Working Relationships

Internal Contacts

(and purpose of relationship):

• 
  All Internal GOSC Stake Holders

External Contacts (and purpose of relationship) – If Applicable

• 
  Stateside Client/ Engineers from different regional Security teams (Such as Country/Regional Head for Monitoring/Containment)

MetLife:
MetLife, through its subsidiaries and affiliates, is one of the world’s leading financial services companies, providing insurance, annuities, employee benefits and asset management to help its individual and institutional customers navigate their changing world. Founded in 1868, MetLife has operations in more than 40 countries and holds leading market positions in the United States, Japan, Latin America, Asia, Europe and the Middle East.
We are ranked #44 on the Fortune 500 list for 2019. In 2019, we were named to the Dow Jones Sustainability Index (DJSI) for the fourth year in a row. DJSI is a global index to track the leading sustainability-driven companies.
MetLife is committed to building a purpose-driven and inclusive culture that energizes our people. Our employees work every day to help build a more confident future for people around the world.
MetLife is a proud Equal Employment Opportunity and Affirmative Action employer dedicated to attracting, retaining, and developing a diverse and inclusive workforce. All qualified applicants will receive consideration for employment at MetLife without regards to race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity or expression, age, disability, national origin, marital or domestic/civil partnership status, genetic information, citizenship status, uniformed service member or veteran status, or any other characteristic protected by law.