
Global Security Application Analyst – Deloitte Company – Location Princeton, NJ, US
Deloitte leads with purpose, solving complex issues for our clients and communities. Across disciplines and across borders, Deloitte Touche Tohmatsu Limited (DTTL) Global supports our network of national member firms by developing and driving global strategy, programs, and platforms, and creating new solutions and transformational experiences. Our people share a passion for igniting change and a strong service orientation that shapes our organization and those it supports.
The Deloitte Global Cybersecurity function is responsible for the firm’s overall objectives of enhancing data protection, standardizing and securing critical infrastructure and gaining cyber visibility through security operations centers. The Cybersecurity organization delivers a comprehensive set of cybersecurity services to Deloitte member firms through regional delivery hubs and a Global Fusion Center. We are seeking a Global Security Application Analyst to join the team.
The Global Security Application Analyst is a part of the Cybersecurity Architecture and Engineering team and reports to the DevSecOps Security Transformation Leader. This role focuses on partnering with the GTS Product Development & Solution Engineering teams’ leaders to create, implement and apply DevSecOps principles, processes and culture. They are also to provide subject matter expertise on DevSecOps, leading our engineering teams in building secure software and implementing security controls and tests in an Agile development environment. On the software side, the candidate is expected to advocate to the engineering teams advanced Cybersecurity, DevSecOps, and Agile engineering procedures such as secure coding practices, code reviews, quality engineering practices (i.e., unit, full – build, and security testing) and advanced requirement capturing techniques for improving end- to- end secure delivery practices. On the infrastructure side, the candidate will work to harden cloud infrastructure from attack s by implementing automated and integrated release cycles incorporated within the Agile Security Software Development Lifecycle’s ( S SDL) tools and processes . The candidate will strive to bring excellence and simplicity in DevSecOps design, adoption and implementation, acting as trusted cybersecurity advisor to the engineering teams across GTS and member firms.
As Part Of The Global Cybersecurity Team, This Professional
Strategic
- Be responsible for day-to-day collaboration with the engineering teams to ensure successful implementation of secure coding practices and consistent automation and integration of the DevSecOps processes across Deloitte.
- Supports and maintains the Secure Systems Development Lifecycle (SSDLC), including functional and non-functional cybersecurity requirements for all new applications
- Works with the Cybersecurity Strategy and Governance group, to implement setup and updates in the cybersecurity assessment process
- Works with global business functions (e.g. Tax, Audit, Consulting, Advisory) and Global Digital Application Studios (GDAS) to automate and integrate application and system cybersecurity assessments into their processes to ensure consistent implementation of security controls. Understands the impact these security controls have on the respective organizations and their ability to effectively deliver client services
- Performs in-depth vulnerability management analysis and remediation prioritization for Global Digital Application Studios
- Working with the Cybersecurity Architecture team, learns and applies reference architectures for security solutions design and implementation
- Assists with the design and implementation of new technical cybersecurity shared services
- Working with the Cyber Defense group and the Security Operations Center, evaluates the effectiveness of the security controls and architectures in relationship to actual intrusions seen on the Deloitte network, reported threats at peer organizations and overall cybersecurity threats in the internet ecosystem
Operational
- Collaborates with the development studios to apply the best practices of secure engineering/ development/ coding to include, but not limited to cloud technology, internet servers, application whitelisting, virtualized containers and orchestration, web-enabled database applications and databases, network security, security engineering, data integrity, intrusion detection, firewall management, forensic and legal information security, virtual private networks, public key/infrastructure/digital signatures, encryption, network security architecture and DNS Policy.
- Champions the Security Software Development Lifecycle (SSDLC) by discovering and raising security concerns in the existing development workflow and help development team to build security awareness and thinking into every stage of the software development process. Recognize security implications in the software/code acceptance phase, including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.
- Develops automation and integration code (e.g., Java, .Net, Python, Visual Basic, PowerShell, Bash, C++, Django, JavaScript, HTML, CSS) to interact with Rest APIs and API driven security technologies to automate security tasks aimed at removing human errors and human inconsistencies and optimize the application workflow.
- Participates in daily scrums of the agile software development teams he/she is supporting to address cybersecurity requirements.
- Coordinates with teams across the enterprise on the migration of existing IT services to the cloud and identifies security technical requirements, potential problems and issues
- Supports SOC and thread intelligence capabilities by customizing tools and automating processes for SOC and IR analysts.
- Applies coding and testing standards, security testing tools (including fuzzing static-analysis code scanning tools), Identify common coding flaws, threat modelling, and conducts code reviews
- Participates in application, network, and system design to ensure implementation of appropriate systems security policies, designs and implement systems security and data assurance
Relationship Management
- Holds a strong working relationship with the GDAS development studios and supports their automation and integration efforts in evolving DevOps to DevSecOps
- Works closely with the Shared Security Service Owners to ensure new IT solutions and major changes receive appropriate implementation, optimization, and testing prior to deployment into production
- Works with the Global Business Services and Member Firm Services organizations to ensure new products and services follow the best practices for secure engineering and supports the automation and integration of such in the development CI/CD pipelines.
Expectations from The Professional
Our purpose is to make an impact that matters, and our aspiration is to be the undisputed leader in professional services. At the root of these goals are our Shared Values, which describe the distinctive Deloitte culture. Our Values are timeless, all-encompassing and embrace the cultures in which Deloitte member firms operate. We expect all professionals to live our purpose and shared values and be the brand ambassadors holding Deloitte Global and member firms together.
Integrity
At Deloitte, everything we do starts with integrity. In our marketplace, nothing is more important than our reputation and, accordingly, we commit to conducting business with honesty, distinctive quality, and high levels of professional behavior.
Outstanding value to markets and clients
We play a critical role in helping both the capital markets and our member firm clients operate more effectively. We consider this role a privilege, and we know it requires constant vigilance and unrelenting commitment.
Commitment To Each Other
We are proud of our culture of borderless collegiality and work hard to support our people. We strive to create an inclusive environment that reflects our strong, clear expectations about diversity, respect, and fair treatment.
Strength from cultural diversity
Our member firm clients’ business challenges are complex and benefit from the innovation and varied perspectives that our practitioners bring. We understand that working with people of different backgrounds, cultures, and thinking styles helps our people grow into better professionals and leaders.
Qualifications
Education
- Bachelor’s degree in Computer Science, Computer Engineering, technology-related field, or equivalent work experience
- Master’s degree preferred
Work Experience
Minimum of 5 years of combined experience in software engineering and DevOps/DevSecOps, preferably in an information security context
Certification
- Relevant Dev and DevOps Certifications (e.g., AWS, DevOps Certs, RHCE, Docker, Kubernetes) are strongly desirable, but not required
- Relevant technical certification preferred (CISSP-ISSEP, CEH, CCNP Security, GSEC)
Skills – Abilities
- Django, JavaScript, HTML, CSS, etc.
- Previous professional experience with performing integrated quality assurance testing for security functionality and resiliency to attacks.
- Previous professional experience with secure programming and identifying potential flaws in codes to mitigate vulnerabilities.
- Good understanding of common security practices (e.g., penetration testing) and how they impact the implementation of DevSecOps automation.
- Ability to translate traditional SDLC approach (plan, code, build, test, release, deploy and monitor) to the phases of agile development when writing software to automate security related tasks.
- Advanced technical skills and experiences with Cloud Service (AWS, Azure, Google), continuous delivery systems and enhancing security processes and operations through automation.
- Hands-on experience with containerization, orchestration, and advanced techniques in Cloud infrastructure management (e.g., Infrastructure as Code, immutable infrastructure, Configuration as Code, etc.)
- Advanced knowledge of Source Code Management concepts (code lines, branching, merging, integration, versioning, etc.)
- Advanced working knowledge of the following: Encryption algorithms, secure communications, network and data communication protocols.
- Excellent problem solving, analytical skills and technical troubleshooting skills
- Ability to collaborate with customers/stakeholders, developers, testers, project managers, support staff
- Extensive experience acquiring in-depth understanding of large complex software systems to isolate defects, reproduce defects, assess risk, and understand varied customer deployment
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate strategic information security topics, policies and standards as well as risk-related concepts to technical and nontechnical audiences at various hierarchical levels
- Good knowledge of key cybersecurity technologies such as application security design principles, authentication and authorization models, secure coding, application and penetration testing, encryption, vulnerability management, and security information and event management (SIEM)
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, COBIT, and NIST, including 800-53 and the Cybersecurity Framework
- Ability to travel as needed (no more than 15%)
Useful Computer Science and Data Science Skills
- IBM Data Science Professional Certificate by IBM
- Java Programming and Software Engineering Fundamentals Duke University
- Mathematics for Machine Learningby Imperial College London
- Cloud Computing by University of Illinois
- Data Mining by University of Illinois
- Applied Data Science with Python by University of Michigan
- Data in Database by Arizona State University
- Financial Management by University of Illinois
- Financial Reporting by University of Illinois
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, or protected veteran status, or any other legally protected basis, in accordance with applicable law.
Disclaimer: Nothing in this job description/posting shall constitute an offer or promise of employment. If you are not reviewing this job posting on our Careers’ site (jobs2.deloitte.com) or one of our approved job boards we cannot guarantee the validity of this posting. For a list of our current postings, please visit us at jobs2.deloitte.com
Requisition code: D58313