Back

Threat Modeling Engineer - Application Security

Get Referred

Job Description

You Lead the Way. We’ve Got Your Back.

At American Express, we know that with the right backing, people and businesses have the power to progress in incredible ways.  Whether we’re supporting our customers’ financial confidence to move ahead, taking commerce to new heights, or encouraging people to explore the world, our colleagues are constantly redefining what’s possible - and we’re proud to back each other every step of the way. When you join #TeamAmex, you become part of a diverse community of over 60,000 colleagues, all with a common goal to deliver an exceptional customer experience every day.

American Express is seeking an Application Threat Modeling Engineer with proven strong technical competence in developing, building and maintaining secure design & secure coding patterns. The Application Threat Modeling Engineer serves as a subject matter expert in developing comprehensive security requirements across a diverse number of technology stacks.

The Application Threat Modeling Engineer supports the security champion practice by evangelizing secure design and secure coding controls.

Primary Responsibilities

  • Design, develop and maintain comprehensive secure design patterns.
  • Design, develop and maintain secure coding standards.
  • Maintain, update and enhance threat libraries.
  • Socialize and present secure design patterns and secure coding standards with engineering teams.

Minimum Qualifications

Security and Technical Experience

  • Must have 3+ years of strong application development experience.
  • Direct hands on experience with application threat modeling.
  • Direct hands on experience with threat modeling frameworks, attack vectors an vulnerability analysis: CAPEC, ATT&CK, STRIDE.
  • Direct hands on experience with cloud security requirements.
  • Direct hands on experience with application security controls (web, API and mobile).
  • Strong familiarity with IAM controls (OAuth 2.0, OIDC, JWT).
  • Strong familiarity with cryptography controls (Data at rest, in motion).
  • Experience with industry standards and frameworks: NIST 800-53, CSF, OWASP ASVS.
  • Full stack knowledge of application architectures including: single page applications, REST APIs, SOAP APIs, mobile applications.
  • Experience with Java, Javascript and mobile application development.
  • Full stack knowledge or familiarity with database architectures including Oracle, SQL, DB2 and NoSQL Databases.

Key Behaviors/Competencies

  • Self-directed, Confident Team Player
  • Strong Technical Thinker
  • Strong Planning, Execution and Collaborative skills
  • Communication skills — Good verbal and written communication skills. Ability to document risk and control summary artifacts that translates complex threat models into easy to read reports for the business.
  • Openness to Learning: Takes personal responsibility for learning and upskilling. Acquires strategies for gaining new knowledge, behaviors and skills. Builds on and applies existing knowledge. Engages in learning from others, inside and outside the organization.
  • Adaptability: Demonstrates flexibility within a variety of changing situations, while working with individuals and groups. Changes his or her own ideas or perceptions in response to changing circumstances.
  • Business Acumen: Demonstrates an awareness of American Express internal dynamics.

Education

  • Bachelor's degree in computer science, information systems, cybersecurity, or a related field.

Preferred Security Certifications

  • CISSP, SANS GIAC

Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions.

American Express is an equal opportunity employer and makes employment decisions without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability status, age, or any other status protected by law.


Tags: #LI-REMOTE
ReqID: 21005072
Schedule (Full-Time/Part-Time): Full-time
Date Posted: Apr 12, 2021, 1:28:17 PM