The Application Security team in MetLife’s IT Risk & Security organization plays a critical role in ensuring the security of MetLife’s applications and protecting customer and MetLife data. The team works closely with global application development teams and leading application security vendors who provide SAST/DAST/SCA/WAF/RASP and ethical hacking services.
Application security is a top area of focus at MetLife and we are working to embed a ‘secure by design’ culture and associated practices in all development teams. We have adapted key practices recommended by industry standard software security maturity models to drive changes in Application Security strategy. This is an exciting time to join the Application Security team as we are continuing to expand and invest in new capabilities.
The Director of Application Security Services will lead a team of professionals responsible for managing core testing services as well as develop a new security champion practice. The Director of Application Security Services will supply thought leadership with hands on technical acumen. This is truly an exciting opportunity for a leader to have broad based impact and take application security to the next level at MetLife.
Execute MetLife’s strategic application security roadmap that is based on industry standard software security frameworks. Lead and manage a team of application security coordinators who are responsible for coordinating all aspects of SAST/DAST/SCA/WAF/RASP and ethical hacking testing with application development teams.
Develop and lead a cross functional virtual team of security champions, drive security culture, innovations and security policy effectiveness. This practice will interface with global security champions in application development teams to offer consultative advice on secure design and remediation activities. Further enhance, integrate and automate application security testing services.
Partner with Enterprise Architecture and DevSecOps to develop and maintain industry aligned application security standards, secure coding checklists, security control requirements, provide subject matter expertise and fully engaged in application incident response activities.
Partner with Enterprise Architecture and DevSecOps to support threat modelling as a ‘secure by design’ practice, create and share technology specific attack patterns, abuse cases, root cause analysis and risk mitigation strategies. Collect and publish attack stories, emerging threats, lessons learned, best practices in internal knowledge base and issuance of security directives based on emerging threat landscape.
Create and chair a Security champions forum to discuss technical topics related to application security, explore new and innovative security solutions in partnership with MetLife’s innovation team and internal technical partners. Conduct pilots and proof of concepts to recommend new solutions that improve our application security posture.
Essential Business Experience and Technical Skills:
Experience in developing or managing application security and vulnerability management programs. General knowledge and experience with industry standard frameworks like BSIMM and SAMM. Strong working knowledge of OWASP Top 10 and SANS/CWE Top 25.
Experienced in enterprise application security policy/standard management lifecycle, technology and process related to application security testing and developing effective proactive/reactive mitigation strategies.
Strong knowledge of enterprise development lifecycles (Traditional & DevSecOps) with a proven track record driving security decisions and influencing security best practices amongst development teams.
Expertise with software development functions, exploitation techniques as well as defensive techniques, white-box/black-box testing, application ethical hacking (AEH) & penetration testing.
Experience in a governance function engaging with senior stakeholders, metrics reporting, dashboarding, data visualization and presentations.
Strong knowledge of SDLC and working experience with large scale development projects, IDEs & defect tracking systems in an Agile Scrum environment
Preference to candidates with one or more of the following industry recognized certifications: CISSP, CSSLP, CEH, GWEB or GWAPT
Experience creating an effective employee development & retention program.
Experience leading geographically dispersed, multinational staff & projects.
Excellent communication and facilitation skills
Strong analytical skills with the ability to collect, organize, analyze, and disseminate significant amounts of information with attention to detail and accuracy
Internal Number: 111698
At MetLife, we put customers at the absolute center of everything we do. In fact, we believe technology will transform the customer experience and are investing nearly $300 million in new technologies that will help us innovate and develop new products and services to better serve our customers.We're actively seeking world-class talent for the GTO division, building a diverse, global and highly skilled workforce that is passionate about the same things we are — pushing ourselves to learn and grow, to be efficient, to share experiences and knowledge and to collaborate as a global team.