girl looking into her desktop
Back to search results

Assistant Vice President / Vice President, Static Application Security Assessor, Global Information Security

Tokyo, , Japan;

Job Description:

Your background

Required Skills:

  • 5+ years’ experience in Web application, Web or Rest service development using any of the following languages - Java/JEE, .NET, Android, iOS/Swift.
  • 3+ years’ experience in some of the front-end technologies like HTML5, CSS3, TypeScript, JavaScript, Angular, React etc.
  • 3+ years’ experience in some of the open-source frameworks like Spring boot, Struts, Hibernate, log4j, slf4j, Axis/Cxf etc.
  • Knowledge of application servers like Tomcat, JBoss, IIS etc.
  • Understanding of enterprise architectures and best practices for high-volume, high-availability web / mobile apps
  • Knowledge of network and web related protocols/technologies
  • Knowledge of Secure Coding.
  • Knowledge of Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) and remediation recommendations
  • Experience in SAST assessment and tools like Checkmarx/HP-fortify etc.
  • Must be a team player and adaptable.
  • Must be able to manage tasks with minimum supervision.
  • Must be open to learning new technologies whenever required.
     

Preferred Skills:

  • Experience with .NET is a plus.
  • Familiarity of vulnerabilities and attack methods (e.g., Remote Code Execution, Cross-Site Scripting, Code Injection) and how to identify, trace and remediate them
  • Experience in coding exploits using Python, Perl etc.
  • Experience with DAST tools like HCL-Appscan, NetSPI etc.
  • Experience in manual ethical hack.
  • Experience with proxy tools like BurpSuite, ZAP etc.
  • Experience with SoapUI.
  • Experience as a developer and / or architect at a Financial Institution is a plus.
  • One or more of the following certifications: GWAPT, CEH, OSCP, OSWE (or qualified work experience).

What you can expect

Cyber Security Technology (CST) is a globally distributed team responsible for cyber security innovation and architecture, engineering, solutions and capabilities development, cyber resiliency, access management engineering, data strategy, deployment maintenance, technical project management, information technology security control support, and vulnerability assessment / penetration testing.

The Static Application Security Assessor will conduct source code scans and penetration tests to detect vulnerabilities in the web and mobile applications developed at the Bank. The assessor will also collaborate with developers on architecture and code reviews to prevent additional security vulnerabilities.

You will need enterprise-grade coding skills to advise development teams on how to remediate security vulnerabilities as well as good communications skills to convey to senior management the risk the vulnerabilities present. As a hybrid assessor, you will develop your skillset in both static code scanning and dynamic penetration testing.

What you will do

  • Primary responsibility will be to do source code review of findings reported by SAST scans and apply secure coding expertise to identify true positives.
  • Host discussions with application managers, development teams and other stake holders in order to convey the secure code rationale with regards to identified vulnerabilities.
  • Advise development teams on how to remediate security vulnerabilities as well as good communications skills to convey to senior management the risk the vulnerabilities present.
  • Corelate between SAST and DAST findings for better analysis.
  • Code testing of remediations.
  • Collaborating with application security engineers to configure and tune scanners.

About Bank of America

Our purpose as a firm is to make financial lives better, through the power of every connection. Across the world, we partner with leading corporate and institutional investors through our offices in more than 35 countries. In the U.S. alone, we serve almost all of the Fortune 500 companies and approximately 67 million consumer and small-business clients. We provide a full suite of financial products and services, from banking and investments to asset and risk management. We cover a broad range of asset classes, making us a global leader in corporate and investment banking, sales and trading.

Connecting Asia Pacific to the world

Our Asia Pacific team is spread across 19 cities in 12 markets. We are focused on connecting Asia to the world and the world to Asia, using our global expertise to ensure success is shared between us, our clients and our communities. Our regional footprint covers 12 currencies, more than a dozen languages and five time zones, placing us firmly among the region’s leading financial services companies.

Job Band:

H5

Shift: 

Hours Per Week:

36.25

Weekly Schedule:

Referral Bonus Amount:

0

Job Description:

Your background

Required Skills:

  • 5+ years’ experience in Web application, Web or Rest service development using any of the following languages - Java/JEE, .NET, Android, iOS/Swift.
  • 3+ years’ experience in some of the front-end technologies like HTML5, CSS3, TypeScript, JavaScript, Angular, React etc.
  • 3+ years’ experience in some of the open-source frameworks like Spring boot, Struts, Hibernate, log4j, slf4j, Axis/Cxf etc.
  • Knowledge of application servers like Tomcat, JBoss, IIS etc.
  • Understanding of enterprise architectures and best practices for high-volume, high-availability web / mobile apps
  • Knowledge of network and web related protocols/technologies
  • Knowledge of Secure Coding.
  • Knowledge of Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) and remediation recommendations
  • Experience in SAST assessment and tools like Checkmarx/HP-fortify etc.
  • Must be a team player and adaptable.
  • Must be able to manage tasks with minimum supervision.
  • Must be open to learning new technologies whenever required.
     

Preferred Skills:

  • Experience with .NET is a plus.
  • Familiarity of vulnerabilities and attack methods (e.g., Remote Code Execution, Cross-Site Scripting, Code Injection) and how to identify, trace and remediate them
  • Experience in coding exploits using Python, Perl etc.
  • Experience with DAST tools like HCL-Appscan, NetSPI etc.
  • Experience in manual ethical hack.
  • Experience with proxy tools like BurpSuite, ZAP etc.
  • Experience with SoapUI.
  • Experience as a developer and / or architect at a Financial Institution is a plus.
  • One or more of the following certifications: GWAPT, CEH, OSCP, OSWE (or qualified work experience).

What you can expect

Cyber Security Technology (CST) is a globally distributed team responsible for cyber security innovation and architecture, engineering, solutions and capabilities development, cyber resiliency, access management engineering, data strategy, deployment maintenance, technical project management, information technology security control support, and vulnerability assessment / penetration testing.

The Static Application Security Assessor will conduct source code scans and penetration tests to detect vulnerabilities in the web and mobile applications developed at the Bank. The assessor will also collaborate with developers on architecture and code reviews to prevent additional security vulnerabilities.

You will need enterprise-grade coding skills to advise development teams on how to remediate security vulnerabilities as well as good communications skills to convey to senior management the risk the vulnerabilities present. As a hybrid assessor, you will develop your skillset in both static code scanning and dynamic penetration testing.

What you will do

  • Primary responsibility will be to do source code review of findings reported by SAST scans and apply secure coding expertise to identify true positives.
  • Host discussions with application managers, development teams and other stake holders in order to convey the secure code rationale with regards to identified vulnerabilities.
  • Advise development teams on how to remediate security vulnerabilities as well as good communications skills to convey to senior management the risk the vulnerabilities present.
  • Corelate between SAST and DAST findings for better analysis.
  • Code testing of remediations.
  • Collaborating with application security engineers to configure and tune scanners.

About Bank of America

Our purpose as a firm is to make financial lives better, through the power of every connection. Across the world, we partner with leading corporate and institutional investors through our offices in more than 35 countries. In the U.S. alone, we serve almost all of the Fortune 500 companies and approximately 67 million consumer and small-business clients. We provide a full suite of financial products and services, from banking and investments to asset and risk management. We cover a broad range of asset classes, making us a global leader in corporate and investment banking, sales and trading.

Connecting Asia Pacific to the world

Our Asia Pacific team is spread across 19 cities in 12 markets. We are focused on connecting Asia to the world and the world to Asia, using our global expertise to ensure success is shared between us, our clients and our communities. Our regional footprint covers 12 currencies, more than a dozen languages and five time zones, placing us firmly among the region’s leading financial services companies.

Learn more about this role

Full time

JR-22055940

Band: H5

Manages People:

Manager:

Talent Acquisition Contact:

Wayne Tan

Referral Bonus:

0