Senior Application Security Reviewer

At EY, you’ll have the chance to build a career as unique as you are, with the global scale, support, inclusive culture and technology to become the best version of you. And we’re counting on your unique voice and perspective to help EY become even better, too. Join us and build an exceptional experience for yourself, and a better working world for all.

Job description - Senior – Risk Consulting

Job Title: Application Security Reviewer

Overview: We are seeking an experienced Application Security Reviewer to join our team. The candidate is responsible for conducting application security assessments to identify and mitigate potential security risks in our applications and systems. This role requires a deep understanding of security principles, threat modelling methodologies, and the ability to communicate findings effectively to technical and non-technical stakeholders.

Key Responsibilities:

• Threat Modelling: Must Have
  • Analyse software systems to identify potential threats and vulnerabilities.
  • Create and maintain threat models that outline potential attack vectors and prioritize security efforts (leveraging established Threat Model frameworks like STRIDE)
  • Collaborate with development teams to remediate identified vulnerabilities through code reviews and dynamic testing.
  • Validate threat models against industry standards and best practices, ensuring alignment with organizational security policies.
  • Document findings from threat modelling assessments, including identified risks, recommended mitigations, and action plans.
  • Prepare and present reports to stakeholders, summarizing assessments and providing actionable insights.

• Secure Code Review :
  • Review code written by developers to identify security flaws and ensure adherence to coding standards and best practices.
  • Integrate security into the software development lifecycle.

• Security Testing:
• • Perform various security tests, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).

• Application Onboarding Support: Must Have
  • Provide technical guidance for application onboarding activities and assist developers in navigating the security review process.

• Stakeholder Engagement: Must Have
  • Work closely with development teams, product managers, and other stakeholders to gather information and understand application architecture.
  • Build and nurture positive working relationships with stakeholders and leadership, acting as a trusted advisor for the clients.
  • Support app teams in drawing Threat Models and Data Flow Diagrams

• Process Improvement:
  • Stay up to date with the latest security threats, vulnerabilities, and trends in threat modelling methodologies.
  • Design and implement process improvements for the Application Security program.
  • Assist in the review and assessment of tools and technologies leveraged and identify opportunities for automating application security review and tracking workflows, enhancing threat model review tools, etc.

Education Qualifications:

• Education: Bachelor’s degree in information technology, Cybersecurity, Business Management, or a related field.

Experience: Must Have

• 4+ years of experience with various threat modelling tools and methodologies.
• 4+ years of experience in engineering, product/technical program management, data analysis, or product development.
• 4+ years of experience working in cross-functional and/or cross-team projects.
• 4+ years of combined experience in technology administration/management, technical risk management, and software development/engineering.
• Strong exposure working in client facing roles.

Preferred Qualifications:

• Certifications such as Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) are a plus.
• Basic to moderate coding skills and experience working on application or service development teams.
• Strong written and oral communication skills, with the ability to tailor communications based on the audience.
• Self-motivated with the ability to work independently.
• Strong analytical skills with the ability to think creatively and influence change.

Technical Skills:

• Understanding of cloud computing, networking, and common cloud-based application architectures.
• Familiarity with application security concepts, software development processes, and security frameworks (e.g., OWASP, NIST).

EY | Building a better working world

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.