Engineering - Tech Risk Advisory – Associate - London

at  Goldman Sachs

WHO WE ARE

Led by the Chief Information Security Officer (CISO), Technology Risk secures Goldman Sachs against hackers and other cyber threats. We are responsible for detecting and preventing attempted cyber intrusions against the firm, helping the firm develop more secure applications and infrastructure, developing software in support of our efforts, measuring cybersecurity risk, and designing and driving implementation of cybersecurity controls. The team has global presence across the Americas, APAC, India and EMEA. Within Technology Risk, Advisory is the consultative and technology subject matter expertise arm, responsible for assessing new technology initiatives for risk, partnering with engineers to architect and design secure products and services, embedding implementation reviews as part of the SDLC and CI/CD pipeline via code analysis and penetration testing, and guiding technology innovation in terms of security and control across Goldman Sachs. The team plays a critical role in designing and assessing controls for our transition to building native public cloud applications.

BASIC QUALIFICATIONS:

You will use your strong technical, interpersonal, organizational, written, and verbal communication skills to interact with your internal clients locally and globally. Your knowledge of Software Development Lifecycle (SDLC), Application Security and Risk Management techniques and methodologies will enable you to be an active member of the team along with your professional experience in one, or more, of the following disciplines:

• Ability to explain common secure coding practices and application security vulnerabilities, based on guidance from the industry recognised cybersecurity frameworks and standards e.g. NIST Cyber Security Framework and OWASP.
• Ability to engage technical client base of engineers and communicate security requirements, potential risks, and influence development practices.
• Ability to communicate security flaws in a clear and concise manner to a broad range of audience from engineers, SMEs to senior management and provide clear remediation guidance.
• Experience with software development methodologies e.g. Agile, DevOps etc.
• Fluent in at least one major programming language (e.g. Java, Python, Go etc.)
• Working knowledge of CI/CD platforms e.g. Gitlab, AWS Code Commit and Deploy (or similar).
• Intermediate Knowledge of DevSecOps solutions i.e. ability to review identified findings, conduct analysis (e.g. impact, accuracy etc.), develop and customise detection capability of one or more of the following solutions:
• Static Application Security Testing (SAST)
• Dynamic/Interactive Application Security Testing (DAST/IAST)
• Software Composition Analysis (SCA)
• Infrastructure as Code (IaC)
• Container Security
• Mobile Security

PREFERRED QUALIFICATIONS:

• Project management skillsKnowledge of Cloud (AWS, GCP, Azure) and Cloud Security applications

JOB RESPONSIBILITIES:

• Lead and/or support static, dynamic and security awareness services.
• Drive adoption of application security controls within Software Development Life Cycle (SDLC).
• Review issues identified by S-SDLC tools, ensuring compliance to established review SLAs.
• Interface with Business Units, provide advice and consultation, to help remediate issues identified by S-SDLC tools.
• Develop, and customise rules, to improve detection capability of S-SDLC tools.
• Help engineer tools and solutions that facilitate the adoption of security controls.
• Develop Proof-of-Concepts (PoC), to be shown as solutions, and handover to Engineering for broader rollout.
• Work with engineers to develop customized security testing strategy to complement the existing security testing program managed by Technology Risk.
• Be responsible to communicate program to broader developers’ community for solutions that might impact Developer Experience (DevEx).
• Be responsible for the awareness, training and guidance on security related issues.Conduct product evaluation of solutions that may benefit the S-SDLC program.

You will use your strong technical, interpersonal, organizational, written, and verbal communication skills to interact with your internal clients locally and globally. Your knowledge of Software Development Lifecycle (SDLC), Application Security and Risk Management techniques and methodologies will enable you to be an active member of the team along with your professional experience in one, or more, of the following disciplines:

• Ability to explain common secure coding practices and application security vulnerabilities, based on guidance from the industry recognised cybersecurity frameworks and standards e.g. NIST Cyber Security Framework and OWASP.
• Ability to engage technical client base of engineers and communicate security requirements, potential risks, and influence development practices.
• Ability to communicate security flaws in a clear and concise manner to a broad range of audience from engineers, SMEs to senior management and provide clear remediation guidance.
• Experience with software development methodologies e.g. Agile, DevOps etc.
• Fluent in at least one major programming language (e.g. Java, Python, Go etc.)
• Working knowledge of CI/CD platforms e.g. Gitlab, AWS Code Commit and Deploy (or similar).
• Intermediate Knowledge of DevSecOps solutions i.e. ability to review identified findings, conduct analysis (e.g. impact, accuracy etc.), develop and customise detection capability of one or more of the following solutions:
• Static Application Security Testing (SAST)
• Dynamic/Interactive Application Security Testing (DAST/IAST)
• Software Composition Analysis (SCA)
• Infrastructure as Code (IaC)
• Container Security
• Mobile Securit