Principal Application Security Architect
Sanlam
- Bellville, Cape Town
- Permanent
- Full-time
- Driving a comprehensive application security strategy.
- Threat mitigation and risk management.
- Secure architecture and design.
- Vulnerability management and code reviews.
- Securing the development lifecycle.
- Collaboration and communication with development teams and other stakeholders.
- Protecting global assets.
- Understanding regional requirements.
- Lead the development and execution of application security assessments.
- Ensure applications comply with all relevant security standards and regulations.
- Champion a "security by design" culture.
- Develop and maintain application security documentation.
- Develop and manage risk mitigation strategies.
- Work with other security teams (e.g., security operations, etc.)
- Stay up-to-date on the latest application security threats and vulnerabilities.
- Application Security Incident Response and Cyber Crisis Management.
- Participate in Group Information Security Programme (GISP) initiatives.
- Application Security (including cloud security), Infrastructure Security, and Cybersecurity Education, Training and Awareness.
- Provide regular feedback to Santam Manco on Group-wide application security issues.
- Clear and timely communication to management and users regarding application security matters.
- Application Security Risk assessment that identifies a requirement for additional awareness or targeted education, training, and awareness interventions.
- Review and respond to all application security-related audit findings.
- Produce required application security reports.
- Ensure that security 'gates' are a formal part of the SDLC/ Agile/ relevant solution development methodology.
- Active participation in Sanlam-sanctioned industry bodies (e.g. ISF Live, ISACA, FS-ISAC)
- Timeous escalation of new, high or escalating cybersecurity risks.
- Engage with application owners and the Group Cyber Security Centre (GCSC) Operations Team to ensure that system vulnerabilities identified during penetration tests, Red Team exercises, or vulnerability scans are addressed.
- Ensure that the Group CIO is aware of risks and actions required.
- Find & provide root cause analysis and implement permanent and/or long-term fixes for application security-related incidents.
- Strong understanding of integration between Workstations and Network/Servers
- A bachelor's Degree or Diploma in Cybersecurity, Computer Science, Information Systems, or a related field, or equivalent work experience.
- A Recognised Cyber Security Certification(s) (e.g., Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Ethical Hacker (CEH), or similar certification will be an advantage.
- With 15+ years of experience in software engineering, a significant portion of that in an architectural position focusing on cybersecurity within complex organisations, preferably in the financial services sector. The incumbent must have a solid technical software engineering background with a deep understanding of cybersecurity concepts, threats, and vulnerabilities.
- High Stress Tolerance.
- Building and maintaining relationships.
- Teamwork and ability to function independently.
- Facilitation Skills.
- Adaptability.
- Attention to detail.
- Planning and organising.
- Ability to work independently.
- Interpersonal savvy.
- Decision quality.
- Plans and aligns.
- Optimises work processes.
- Being resilient.
- Collaborates.
- Cultivates innovation.
- Customer focus.
- Drives results.
- Sensitivity to Risk
- Balances Stakeholders
- Reporting and Administration
- Programming Languages: It is crucial to understand the security considerations of languages like Java, Python, C#, JavaScript and emerging ones like Kotlin.
- Web Technologies: Familiarity with HTML, CSS, JavaScript frameworks like React and Angular, and web application security concepts is essential.
- Mobile Development: Security expertise in Android, iOS, and cross-platform frameworks like Flutter helps secure sensitive data on user devices.
- Cloud Security: A deep grasp of cloud platforms like AWS, Azure, and GCP and their security implications is vital for secure cloud deployments.
- API Security: Understanding API security best practices is critical to prevent unauthorized access and data breaches.
- Vulnerability Understanding: In-depth knowledge of common and obscure vulnerabilities in various technologies allows for accurate identification and exploitation for testing and mitigation purposes.
- Secure Coding Practices: Expertise in secure coding principles and best practices for different languages and frameworks empowers proactive vulnerability prevention.
- Threat Modelling: The ability to analyse application architecture and functionality to anticipate potential attack vectors and proactively address them is crucial.
- Security Scanners and Code Analysis Tools: It is vital to understand how to use these tools to identify vulnerabilities in code and recommend remediation strategies.
- Penetration Testing Tools: Familiarity with these allows for thorough vulnerability assessment and simulating real-world attack scenarios.
- Security Incident Response Tools: Knowledge of incident response tools and methodologies helps them effectively handle security breaches and minimize damage.
- Cryptography and Encryption: Understanding encryption algorithms and their application in securing data is essential.