JPMorgan Chase & Co. (NYSE: JPM) is a leading global financial services firm with assets of $2.6 trillion and operations worldwide. The firm is a leader in investment banking, financial services for consumers and small business, commercial banking, financial transaction processing, and asset management. A component of the Dow Jones Industrial Average, JPMorgan Chase & Co. serves millions of consumers in the United States and many of the world's most prominent corporate, institutional and government clients under its J.P. Morgan and Chase brands. Information about JPMorgan Chase & Co. is available at http://www.jpmorganchase.com/.
The Cybersecurity organization’s objective is to ensure that JPMC is able to effectively detect, prevent, and respond to cyber threats against our technology infrastructure. The scope of Cybersecurity comprises detection and monitoring of threats and vulnerabilities, managing security incidents, and evolving our preventive infrastructure to keep ahead of the threat. We accomplish this through strong information security leadership and active collaboration with line of business information risk managers to provide high quality security solutions and services that are focused on improving the Firm's risk posture.
The Java Security Engineer will be part of the JPMorgan Chase Application Security Group, which is responsible for working with the various software application development teams in JPMC to help them analyze and determine the applicability and severity of identified potential security vulnerabilities. You will consider the risk and severity of the vulnerability, comprehend any compensating controls and make joint assessment with AD team on exploitability and severity. When appropriate you will offer suggestions on remediation methods including compensating controls, version upgrades, and technology changes. You will monitor data feeds with new vulnerability and patch information as well as inventory/usage changes to proactively engage with the appropriate development teams to help determine appropriate plan of action.
The position has opportunities to build cutting edge web/net/mobile vulnerability inspection rules, to determine false positives of the scanning results, and to provide remediation recommendations.
The position will work closely with the Line of Business AD teams, Static Scanning Support Team, Mobile AD and Support Team, KPI Reporting Team (Radar/MAS), and external business partners to ensure that technologies and best practices are properly applied to protect JPMC’s products, services, and customer information.
- Contribute to the success of Firm-wide Application Security program by working with security architects, software security champions (SSCs), Application Security Champions (ASCs), application development (AD) managers, application developers, and information risk managers (IRMs) to deploy software security controls effectively.
- Govern, build, and maintain JPMC static scanning complex’s global rules/filters/templates and vendor rulepack updates. Including but not limit to re-certification activities, change impact analysis, effectiveness assessments, and release tests for the crucial application security components.
- Coordinate and facilitate meetings to analyze code, to build application specific custom rules/filters, to implement and maintain the application specific rules/filters.
- Drive the vulnerability remediation efforts including identifying the vulnerability scenarios through the SSAP static scanning report, determining the remediation methodologies for the issue, coordinating task force formed by different LOB members, and delivering the remediation run book to be shared by the AD communities.
- Work with AD teams to implement and maintain security frameworks within their applications.
- Provide expertise and support for security practices and controls in the rule development and deployment process (i.e. threat modeling, static scanning, native configuration checking, and pen testing)
- Distribute security intelligence and tangible security guidance to the ASCs, develop, modify and provide training material to the ASC forum and to be able present worldwide training to the ASC community to keep our development teams fresh with the most currently available security knowledge
- Assessing remediation approaches, and requirements
- Evaluating existing solutions and providing feedback to strengthen them
- Understanding emerging trends, technical reviews, security threats, business requirements, and architectural views in order to provide input on solutions
- Collaborating with business and technology partners to understand the firm’s business goals.
- Providing support in guiding business and technology partners on application security matters
- Sharing of information about application security best practices, risks, interpretation of firm-wide standards, etc.
- Creating design templates and best practices in application security.
- 5+ years of hands on software development experience with Java
- 5+ years of experience in software security and software security vulnerabilities
- Expert knowledge of software vulnerability remediation techniques and libraries
- Expert knowledge of NVD, CVSS scoring, risk ranking, threats and vulnerabilities, and performing web application security assessments
- Proven ability to perform successful security code reviews. Must be able clearly articulate your role in conducting the review, issues you have been able to identify and how you were able to successfully remediate the issue with the associated development team.
- Understanding of static code analysis tools principles and practices (i.e. HP Fortify, IBM Appscan Resource, Pylint, RATS, Veracode, BlackDuck) with experience providing development teams tangible guidance to remedy vulnerability defects.
- Experience in working with common OSS frameworks.
- Thorough working knowledge of J2EE and security solutions within that framework.
- Deep code-level knowledge of common software security vulnerabilities and remediation methods for Java applications.
- Deep knowledge of the OWASP Top 10 and the ability to explain how these issues should be remediated.
- Expert level analyst with proven capability to comprehend various technology stacks related to web security, authentication, database security, session management, business logic and input validation methods.
- A minimum of 3 years of data analysis utilizing SQL queries, Excel and Access. The position requires the ability to generate reports and analyze data sets, utilizing custom written SQL queries and Visual Basic for both Excel and Access.
- Proficiency with CVSS, CVE and related schema and scoring.
- Knowledge of common open source applications from Apache, Oracle, etc. and their known security vulnerabilities will be a job requirement.
- Strong technical acumen, communication and influence skills. You should have the ability to explain in depth your assessment of a vulnerability to an application developer so they are able to understand the issue and successfully remediate the finding. The end result must be to resolve the security issue successfully.
- Experience in pen-testing, not required, but is considered a plus.
- Professional Certifications preferred (i.e. JPMC ASC or CSSLP, GSSP, CISA, CISSP)
- The candidate must be a “self starter”, able to operate independently within minim guidance, and produce tangible, measurable results.
- BS degree in computer engineering or equivalent.
- Ability to work under pressure in time critical situations
- Ability to resolve conflict in a collaborative manner
- Must be a driver of change and have strong influential skills
- Excellent written and verbal communication skills, including the ability to independently and effectively participate in strategic discussions / meetings with peers across the firm.
- Ability to communicate effectively with business representatives in explaining impacts and strategies and where necessary, in layman’s terms