Assistant Director - Application Security - Omaha - 16513BR

Moody's is an essential component of the global capital markets, providing credit ratings, research, tools and analysis that contribute to transparent and integrated financial markets. Moody's Corporation (NYSE: MCO) is the parent company of Moody's Investors Service, which provides credit ratings and research covering debt instruments and securities, and Moody's Analytics, which offers leading-edge software, advisory services and research for credit and economic analysis and financial risk management. The Corporation, which reported revenue of $4.4 billion in 2018, employs approximately 13,100 people worldwide and maintains a presence in 42 countries. Further information is available at www.moodys.com.
Moody’s Analytics provides financial intelligence and analytical tools supporting our clients’ growth, efficiency and risk management objectives. The combination of our unparalleled expertise in risk, expansive information resources, and innovative application of technology, helps today’s business leaders confidently navigate an evolving marketplace.

Department

Credit Assessment & Origination

Job Description

As an Assistant Director of Application Security, you will be expected to have experience testing security solutions and applications. Deep knowledge of common web application vulnerabilities identified under OWASP Top 10 (e.g. XSS, CSRF, click jacking) and their mitigation strategies. You possess in-depth knowledge of computing security fundamentals. You are comfortable working in a Secure SDLC environment and familiar with CICD pipelines. The candidate should also have experience in application security tools like Burpsuite and zap and the CICD security plugins tools. As a security professional you wear different hats at different times depending on the needs of Risk Management and Security team and other teams as required. You are team player and work towards a common department goal and company’s vision.
Responsibilities but not limited to:
  • Dynamic Scanning
    • Evaluating external Pen Testing results – ensure results are mitigated within expected turnaround time based on risk level of items
    • Coordination with external vendors
    • Using tools like BurpSuite, OWASP ZAP and Fiddler to perform internal Pen Testing, verify the resolution of previously reported items and to pro-actively identify issues earlier in SDLC process
    • Using tools like Veracode and Whitehat for dynamic scanning and working with the team to educate them on best practices to resolve reported findings
  • Static Scanning
    • Using tools like Veracode and HP Fortify at the point of software builds
    • Using tools like Dependency Checker to identify all dependencies and any CWE’s (Common Weakness Enumeration)
    • Ensure secure coding standards are in place – educate team on standards and best practices – continue to grow standards over time
    • Ensure code reviews are in place and happening at the level we expect
  • Related Technologies:
    • .Net (ASP.Net / C#)
    • JavaScript
    • AngularJS
    • SQL Server / Postgresql
  • System security vulnerabilities and remediation techniques
  • Facilitating training and knowledge sharing with engineering team members
  • Network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
  • Security across multiple disciplines (data, database, operating system)
  • Other duties as assigned

Qualifications

Requirements
  • Minimum bachelor’s degree in computer science
  • Work with DEV and QA teams to ensure application security principles are enforced in various stages of SDLC process
  • Experience working in a security capacity with development team(s) that deliver a software-based service
  • Strong understanding of threat modeling and security methodologies
  • Familiar with protocol analysis and cryptography
  • Current security certifications like GCIH GWEB, CEH, OSCP, CISSP and others are nice to have but not required
  • Experience working on project teams in a collaborative environment
Moody’s is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, sex, gender, age, religion, national origin, citizen status, marital status, physical or mental disability, military or veteran status, sexual orientation, gender identity, gender expression, genetic information, or any other characteristic protected by law. Moody’s also provides reasonable accommodation to qualified individuals with disabilities in accordance with applicable laws. If you need to inquire about a reasonable accommodation, or need assistance with completing the application process, please email accommodations@moodys.com.. This contact information is for accommodation requests only, and cannot be used to inquire about the status of applications.

For San Francisco positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the San Francisco Fair Chance Ordinance. For New York City positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the New York City Fair Chance Act. For all other applicants, qualified applicants with criminal histories will be considered for employment consistent with the requirements of applicable law.

Click here to view our full EEO policy statement. Click here for more information on your EEO rights under the law.
Candidates for Moody's Corporation may be asked to disclose securities holdings pursuant to Moody’s Policy for Securities Trading and the requirements of the position. Employment is contingent upon compliance with the Policy, including remediation of positions in those holdings as necessary.