Deloitte’s Cyber Risk Services help our clients to be secure, vigilant, and resilient in the face of an ever-increasing array of cyber threats and vulnerabilities. Our Cyber Risk practice helps organizations with the management of information and technology risks by delivering end-to-end solutions using proven methodologies and tools in a consistent manner. Our services help organizations to address, in a timely manner, pervasive issues, such as identity theft, data security breaches, data leakage, cyber security, and system outages across organizations of various sizes and industries with the goal of enabling ongoing, secure, and reliable operations across the enterprise.

Work you will do

As a Project Delivery Lead in the operate engagements, you are responsible for adhering to the defined operating procedures and guidelines in operating the application security services in the Managed Services model, which includes the following:

• Understand and be compliant with the Service Level Agreements defined for the SAST and SCA
• Deep knowledge of application security engineering principles and helping client’s development team to follow secure development practices which includes primarily monitoring and performing the security testing, secure code review, secure build, Software Composition Analysis processes.
• Utilize SAST tools and methodologies to analyze source code, identifying security vulnerabilities and weaknesses in applications.
• Conduct in-depth code reviews and analysis to identify and prioritize security issues. Collaborate with development teams to remediate vulnerabilities.
• Manage and maintain SAST tools and associated infrastructure. Configure and fine-tune scans to align with specific project requirements.
• Generate comprehensive reports on identified security vulnerabilities, their impact, and recommended remediation steps.
• Lead a team of VM professionals, ensuring adherence to Service Level Agreements (SLAs).
• Direct daily security operations, lead teams, and collaborate with key stakeholders to foster continuous improvements while ensuring operational stability.
• Display strong leadership and communication skills to manage a team operating 24/7.
• Collaborating with the development team to manage defects and issues. Helping prioritize and fix security-related issues at the code level.
• Work closely with the development and DevSecOps teams to facilitate the resolution of security findings and track progress.
• Provide training and awareness programs for development teams to enhance their understanding of secure coding practices.
• Stay current with emerging threats, vulnerabilities, and industry best practices to ensure that SAST processes remain up-to-date and effective.
• Use SCA tools and techniques to identify open-source components and dependencies within applications.
• Ensure compliance with open-source licenses and provide guidance on license management.
• Perform security assessments on open-source components to identify vulnerabilities and risks.
• Evaluate the security, quality, and maintenance status of open-source components.
• Collaborate with development teams to prioritize and remediate open-source vulnerabilities.
• Maintain and configure SCA tools, ensuring they are integrated into the development process.
• Maintain accurate records of open-source components, licenses, and known vulnerabilities.
• Work closely with development teams and DevSecOps to facilitate the resolution of open-source component-related issues.
• Stay up to date with industry trends, vulnerabilities, and best practices related to open-source software.
• Understanding of vulnerability classification using National Vulnerability Database nomenclature such as CVE/CVSS.

The team

Deloitte’s DevSecOps is a standardized process, to help clients with large development functions, and application dependencies for their day-to-day operations. The process enables the client to address key vulnerabilities and risks associated with their various application environment at different stages of their development lifecycle.

At the core of our Application Security Managed Services Team professionals’ monitors, collects and analyses security related issues on application environment (both at code level and infrastructure level), that may potentially become a threat to an organization. This detection of application threats/vulnerabilities is carried out using a unique blend of our application security testing and monitoring tools and intelligence data collected through our vast experience within the Advice and Implement business.

Required:

• Bachelor's in Computer Science, Cyber Security, Information Security, Engineering, or Information Technology.
• 6+ years of experience in application security development, security testing, secure code review, software composition analysis
• Proficient in application specific vulnerabilities, code development and infrastructure knowledge
• Proficient in investigation, troubleshooting and analytical problem-solving
• Deep expertise in collecting, analyzing, and interpreting qualitative and quantitative data from defined application security services related sources (tools, monitoring techniques etc.)
• Knowledge and experience of OWASP Top 10, SANS Secure Programming, Security Engineering Principles
• Proven experience with SAST tools (e.g., Checkmarx, Fortify, Veracode) and scans using GitLab etc.
• Skilled in performing code review of dot Net, Java, and Swift and objective C
• Skilled in running, installing, and managing SAST and SCA tools, such as SonarQube, Checkmarx, Fortify, Contrast, Veracode, Black Duck, Snyk, WhiteSource in large enterprise.
• Skilled in configuring and managing DAST and VM tools, such as Tenable IO in large enterprise.
• Skilled in configuring and managing Attack Surface Management tools such as Xpanse.
• Skilled in configuring and managing Prisma cloud workload protection, application security, WAAS etc.
• Skilled in managing pen test scans and validations using tools such as Bishop Fox
• Knowledge of Cyber asset management tools such as Axonius
• Proven experience in application health monitoring tools such as Bitsight
• Knowledge of open-source licensing and its implications.
• Understanding of leading vulnerability scoring standards, such as CVSS, and ability to translate vulnerability severity as security risk.
• Knowledge of CI/CD tool set and integrating security tools with CI/CD tool set.
• Skilled in conducting Secure code review and Software composition analysis using automated tools.
• Experience with application monitoring, managed services business primarily on Secure code review, Software Composition Analysis.
• Skilled in managing, leading, training and mentoring teams.
• Excellent communication skills, both verbal and written.
• Ability to travel up to 30%, on average, based on the work you do and the clients and industries/sectors you serve
• Limited immigration sponsorship may be available
  

Preferred:

• Strong understanding of programming languages and application security principles.
• Solid and demonstrable comprehension of Information Security including OWASP/SANS, False Positive analysis, Vulnerability triaging and management
• Understanding of software development practices and open-source software ecosystems.
• Ability to research and characterize security vulnerabilities to include identification and classification of application related threat indicators
• Previous consulting experience, particularly with Big 4 firms, is preferred.
• Professional certifications around CISSP, Cloud, CISM, or CISA are highly desirable.
• Solid understanding of the ITIL framework, with specific knowledge in Incident Management, Change Management, and Problem Management

Information for applicants with a need for accommodation: https://www2.deloitte.com/us/en/pages/careers/articles/join-deloitte-assistance-for-disabled-applicants.html

The wage range for this role takes into account the wide range of factors that are considered in making compensation decisions including but not limited to skill sets; experience and training; licensure and certifications; and other business and organizational needs. The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the position may be filled. At Deloitte, it is not typical for an individual to be hired at or near the top of the range for their role and compensation decisions are dependent on the facts and circumstances of each case. A reasonable estimate of the current range is $80,370 to $141,000.         

You may also be eligible to participate in a discretionary annual incentive program, subject to the rules governing the program, whereby an award, if any, depends on various factors, including, without limitation, individual and organizational performance.