SAIC has an opening for a Sr. Principal Cybersecurity Application Security Architect on our Corporate Cybersecurity team. This is a remote position that can be based anywhere in the United States.
The Sr. Principal Cybersecurity Application Security Architect will work in a collaborative effort with the Cybersecurity organization, Information Technology Office, and business units to assure operational and system security, risk, and technical controls are processed within the organization's security strategy, architecture, and practices.
This position reports directly to the Director of Cybersecurity Architecture, but works closely with development teams, product teams, and other teams across the organization to integrate security into the product lifecycle from design through deployment and practices.
The position requires being a subject matter expert in defining security requirements, performing application security assessments, and providing developers with remediation guidance and advice. On any given day the Sr. Principal Cybersecurity Application Security Architect can be pulled in to evaluate a new system, review a proposed network change, or provide guidance on application security/coding best practices.
- Work independently with developers, system/network administrators, product owners, and other colleagues to ensure secure design, development, and implementation of applications and networks
- Perform security architecture design reviews of COTS products and internally developed solutions
- Perform code analysis of applications, manually and using SAST and DAST scanning solutions; as well as conducting manual vulnerability analysis
- Provide remediation guidance and recommendations to developers and administrators
- Work with Software Engineering teams to help prioritize and validate urgency of mitigation of identified product vulnerabilities and security feature enhancement requests
- Define security best practices and standards and ensure Software Engineering teams understand them and receive pertinent annual secure coding training
- Maintain regular engagement and proactive partnership with business and technology teams to ensure assigned Cybersecurity strategies align with business and technical needs, requirements, and constraints
- Apply current knowledge of technology and cyber trends and to identify security and risk management issues and other opportunities for improvement
- Understand technology trends and the practical application of existing, new and emerging technologies to enable new and evolving business and operating models
- Develop and maintain a security architecture process that enables the enterprise to develop and implement security solutions and capabilities that are clearly aligned with business, technology and threat drivers
- Develop and maintain security architecture artifacts (e.g., models, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations
- Track developments and changes in the digital business and threat environments to ensure that they're adequately addressed in security strategy plans and architecture artifacts
- Review security technologies, tools and services, and make recommendations to the broader security team for their use, based on security, financial and operational metrics
- Liaise with IT Architecture Departments to share best practices and insights
- Liaise with Business Information Security Office and Business Resiliency teams to validate security practices for Business Continuity testing and operations when a failover
- Bachelor’s Degree in Information Technology, Computer Science or a related field and 14+ years of experience, Master's Degree and 12+ years of experience, PhD or JD and 9+ years of experience. An additional 4 years of experience may be considered in lieu of a degree.
- Preferred Certifications; Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Information Technology Infrastructure Library(ITIL).
- Experience working with development teams to build secure solutions.
- Experience breaking down complex systems and applications to find flaws.
- Strong familiarity with common vulnerabilities and attack vectors.
- Knowledge of web service technologies, load balancer services (i.e. Nginx, Cloudflare, F5, etc.) and RESTful APIs.
- Knowledge of ubiquitous encryption technologies (PGP, SSH, SSL, etc.) and common authentication protocols (OpenID Connect, OAUTH, SAML, RADIUS, LDAP, KERBEROS, etc.).
- Solid understanding of secure network and system design in both cloud (AWS, Azure, etc.) and conventional environments.
- Complete understanding of Industry Standards/frameworks such as COBIT, NIST, ISO 27001.
- Proven experience in solving complex cyber-risk management issues.
- Proven ability to map and understand complex relationships and interactions between Enterprise Architecture, business direction, emerging trends, emerging technologies, and legacy systems.
- Ability to convey complex technical security concepts to technical and non-technical audiences including executives.
- Sound knowledge of Agile/Lean development methodologies and Continuous Deployment Tools and Techniques.
- Must be a critical thinker, with strong problem-solving skills.
- Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations and best practices.
- Must be a US Citizen.
- A background integrating security testing into the SDLC (preferably the SCRUM framework).
- Previous work as an application security architect or related security role, where there is a commitment to information security and technology.
- Demonstrated experience using DAST and SAST tools and services.
- Ability to manage multiple engagements & competing priorities in a rapidly growing, fast-paced, interactive, results-based team environment.
- Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project and application development teams, management and business personnel; in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an excellent understanding of information security concepts, protocols, industry best practices and strategies.
- Experience working with legal, audit and compliance staff.
- Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies.
- Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
Target salary range: $150,001 - $175,000. The estimate displayed represents the typical salary range for this position based on experience and other factors.
Covid Policy: SAIC does not require COVID-19 vaccinations or boosters. Customer site vaccination requirements must be followed when work is performed at a customer site.
SAIC® is a premier Fortune 500® technology integrator driving our nation's technology transformation. Our robust portfolio of offerings across the defense, space, civilian, and intelligence markets includes secure high-end solutions in engineering, digital, artificial intelligence, and mission solutions. Using our expertise and understanding of existing and emerging technologies, we integrate the best components from our own portfolio and our partner ecosystem to deliver innovative, effective, and efficient solutions that are critical to achieving our customers' missions.
We are approximately 26,000 strong; driven by mission, united by purpose, and inspired by opportunities. SAIC is an Equal Opportunity Employer, fostering a culture of diversity, equity, and inclusion, which is core to our values and important to attract and retain exceptional talent. Headquartered in Reston, Virginia, SAIC has annual revenues of approximately $7.4 billion. For more information, visit saic.com. For ongoing news, please visit our newsroom.