Full Job DescriptionCME Group is the world’s leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it, all while working alongside a team of leading experts who inspire you in ways big and small. Joining our company gives you the opportunity to make a difference in global financial markets every day, whether you work on our industry-leading technology and risk management services, our benchmark products or in a corporate services area that helps us serve our customers better. We’re small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic, the work is unlike any other firm in the business, and the possibilities are endless. Problem solvers, difference makers, trailblazers. Those are our people. And we’re looking for more.
To learn more about what a career at CME Group can offer you, visit us at www.wherefuturesaremade.com .
The Lead Security Engineer is responsible for performing advanced manual security assessments on in-house or 3rd party applications and systems, and provide detailed written reports to key business stakeholders (management, development teams). Additionally, the individual will provide application design support and security best practice guidance, in the form of consultations, to various development teams and business stakeholders.
This role leads by example by performing all the Application Security team responsibilities and provides training opportunities for other team members on areas such as testing methodology, technical questions, and delivery communications.
As a technical expert in the Application Security Assessment team, this role must effectively communicate with CME technology, business, and third-party partners.
Requirements
10+ years’ experience performing security assessments of a wide variety of systems, applications and technologies.
Expert level skills with application security testing tools including: Burp Suite Pro, Kali, Checkmarx, sqlmap, nmap, Wireshark, etc.
Expert knowledge of the Open Web Application Security Project (OWASP) Top 10 vulnerabilities most critical web vulnerabilities and how to identify and remediate them.
Advanced knowledge and experience performing manual security reviews of application source code for security vulnerabilities written in various languages including: Java, .Net (C#, VB#), C++, *.
Advanced knowledge of application reverse engineering and using tools such as: Java decompilers, .Net decompilers, IDAPro, etc.
Advanced knowledge of UNIX/Linux/Windows.
Advanced knowledge with scripting languages such as: Python, bash, Powershell, etc.
Experience with drafting of Security Standards, Reference Architectures and Secure Technical Implementation Guidelines.
Have a passion for application security testing and be able to share your passion and learnings with teammates and customers.
Self-motivated and a self-starter (If you have a question, find the answer, ask somebody, figure it out, and communicate).
Excellent Oral and Written communications skills.
Principal Accountabilities
Independently perform all functions and services of the GIS Application Security (AppSec) team.
Conduct web application, micro-services, mobile, and API penetration tests on in-house or 3rd party developed applications and systems.
Perform targeted manual security reviews at key points in the software development life cycle.
Perform peer reviews of assessment reports and provide constructive guidance to team members.
Provide technical guidance to team members and other stakeholders (e.g. development teams, project teams, business stakeholders).
Train others on tools and processes used in AppSec methodology.
Provide input for strategic visioning / planning.
Identify the need and develop new security standards and reference architectures.
Identify metrics that can help measure performance, gaps in coverage, need for head count, trends in findings.
Identify and document process improvements and influence team and management support and prioritize changes.
Establish yourself as a recognized technical expert within the team and GIS representative outside the team.
Have an interest in continuing your education and training and staying current within the application security domain.
Education
A Bachelor’s or Master’s degree in Computer Science, Information Systems or other related discipline is required; or equivalent combination of education and relevant proven work experience.
Trainings/Certifications
Certifications such as GWAPT, OSCP/OSWE, CISSP, eWAPTx or other relevant certifications are highly preferred.