Information Security Engineer 4 - Secure Code Review, Wells Fargo

Information Security Engineer 4 – Secure Code Review

To apply: Go to www.wellsfargo.com/careers and apply to Requisition #3549913. Wells Fargo is an Affirmative Action and Equal Opportunity Employer M/F/D/V. © 2011 Wells Fargo Bank, N.A. All rights reserved. Member FDIC

Job Description:

The Secure Code Review (SCR) team is part of Security Consulting (CIS-C). Security Planning is the process of identifying, documenting, and consulting on specific Information Security threats and vulnerabilities, associated likelihood and impact, and mitigating controls in order to determine an overall risk rating. Results of the assessment are documented in a Security Plan. The results are completed to quantify risk so that we may make an informed decision on whether to accept the risk and/or mitigate the risk where no known (or insufficient) controls exist. SCR s part of this process is to identify and assess risks present in applications using a hybrid static analysis methodology.

Specific Duties:

The critical skills / competencies required for the position are in-depth knowledge and understanding of computer applications, including various languages (i.e. Java, ASP, .NET, C++, C#, etc.). Additional knowledge of risk assessment methodologies and frameworks and how to apply them to diverse applications. The skills to gather relevant information; including environmental characterization, threat identification, vulnerability identification and control analysis. The skills to analyze information; including likelihood determination, impact analysis and risk determination. The skills to prioritize risk responses including control recommendation and documentation. Strong communication (verbal and written), negotiation, problem solving and business line engagement required. Selected individual will successfully comprehend large complex applications written by others from reading code. Handles multiple complex assignments simultaneously. Good communication and writing skills with the ability to talk to both business people and technical people. Should be able to communicate complex subjects in easy-to-understand terms. Stays current with emerging technologies and industry trends.

Position can be located anywhere within the lower 48 states - this excludes Hawaii and Alaska.

Basic Qualifications:

5 + years of experience in security applications and systems.

Minimum Qualifications: 4 years of software development experience

Experience with web-based application development

2 years experience with J2EE (servlet/JSP) or ASP.NET (c#)

Experience with relational databases from an application development perspective

Knowledge of application security vulnerabilities such as the OWASP Top 10

Ability to handle difficult situations and to provide alternative solutions or workarounds

Flexible and creative in helping to find acceptable solutions Preferred Skills: Application security experience

Peer code review experience

Working knowledge of Servlet and JSP

Working knowledge of ASP.NET

Framework experience (Struts, Spring)

Understanding of AJAX and web services

Maintenance programming experience

CISSP or comparable security certification

Developer Certifications (examples include SCWCD, SCJP, SCJD, SCJA, MCSD, etc.)

Basic understanding of the following protocols/technologies:

SSL/TLS, Cryptography (symmetric and asymmetric encryption, PKI, etc.)

Ability to work on multiple complex assignments simultaneously

Ability to work alone or in groups

Good communication and writing skills with the ability to talk to both business people and technical people