Application Security Architecture

SUMMARY:
The Application Security Architect is required on a 12 - months contract and will be responsible for comprehensively reviewing the existing and new software application security configurations (on-premises and cloud), influencing change in the security controls standards, creation of easily consumed IT security standards, creation of application security architectures patterns & diagrams, and ownership of the application security capability roadmap. The application security architect role is a valued partner to development and engineering teams (internal and outsourced) to ensure secure architectures, patterns, and solutions are created and maintained for key applications for example the Fintech, digital, IoT and Cloud environments.

POSITION INFO:
Key Responsibilities:

• Participate in and lead the security design and implementation of all products across Financial Services, Consumer, Enterprise, Technology and Digital - design phase security and post implementation.
• Evaluate the ongoing effectiveness of security controls established to ensure the security of the Clients SA product and application suits.
• Partner with IT, Risk management and Group Security to develop a comprehensive set of cyber-security controls (policies and procedures) governing hosted and SaaS environments.
• Provide security guidance and review on business and technology products/ solutions, model threats and risks as well as the controls necessary to mitigate them, on both an organisational and technical level – thinking like a malicious hacker, understanding, and anticipating the moves and tactics that a hacker might use to attack the clients’ systems.
• Research, validation, and evaluation of all new product initiatives, with phase gates reviews presented to all stakeholders during the process.
• Ensure that third party solutions and products follow the clients Application Security controls and standards.
• Review the security design of the clients’ applications and products, drive the testing process (prior to deployment).
• Perform best-practices risk assessment of the clients’ product security stacks – Momo, Digital, Consumer, etc.
• Build security into the clients Software Development Lifecycle, creating and maintaining secure software development/ acquisition methodology - secure application development/ acquisition and coding practices across all development teams (internal and 3rd Party), security testing for existing and new systems, defining processes and establishing meaningful metrics for management.
• Implement security controls and technologies for managing Microservices, APIs and Containers.
• Work with the product teams to identify and assist with the implementation of policy, process, people, and technology improvements. This includes the use of automation and security specific testing tooling; Analysing and providing remediation guidance for identified weaknesses or vulnerabilities; validate and verify remediation implementation.
• Evaluate and oversee the security of outsourced / third-party technologies and hosting environments to ensure they provide adequate protection for the processing, transmission, and storage of the client’s information:     
• Implement Group reference architecture for integrating with third parties and partners.
• Implement mechanisms for vetting and implementing integration with cloud providers.
• Implement architectural and development standards for third party application security.
• Deliver technical security solutions, standards, and configurations for the clients SA Mobile Money technology stack, including the mobile money core system, third-party interfaces, and the internal core network interfaces. Special focus on integrating disparate systems, encryption, cryptographic protocols and algorithms, automatic patch management, security hardening of applications and devices, networks segregation with strong access controls, audit management and security monitoring, and ensuring the management of security compliance of the client’s mobile money products, services, and infrastructure.
• Evaluate outsourced Mobile Money integration points to ensure they provide adequate protection for the processing, transmission, and storage of transactions.
• Act as a subject matter expert to application development and support personnel for any/all issues regarding the security design or use of applications. This includes enterprise operational staff and business unit personnel.
• Create and execute a training and awareness program for secure development and best practice.

• Minimum of 3 years tertiary qualification in Information Technology/ Engineering
• CISSP/CEH/ CGEIT certification (one of)
• SABSA and/or TOGAF qualification will be an advantage.
• Business analysis/architecture qualifications
• Other qualifications (ITIL, TMF, COBIT) or product specific certification is an advantage.

• Minimum of 5 years of strong cybersecurity experience across network network, application (web, API) & public/private cloud security architecture (web application firewalls, containers, etc.)
• Experience in designing and implementing application security systems architecture.
• Experience in managing and implementing large scale security projects preferably with banking and telecoms companies.
• Other security experience such as incident handling (from appsec perspective), threat modelling, operations, GRC, OWASP, etc
• Experience in application development with at least one modern programming language, Devops and Agile methods.
• Experience in ethical hacking or vulnerability assessment on web apps, mobile, and thick client (scanners, fuzzers, debuggers, decompliers)
• Experience performing code reviews with associated applications such as static code and dynamic code analysis tools and in several languages.
• Knowledge of web application architectures, web stack technologies (HTTP, REST, etc..) and platforms (e.g., Apigee, AngularJS, Tomcat, .Net, MS SQL, etc.)

NB! This job is now closed. You can apply for other jobs by uploading your CV.