Sr. Offensive Security Engineer, Information Security Assurance & Response

Position Summary:

The Senior Offensive Security Engineer operates, monitors, and improves information security processes and systems that protect the Bank’s data, customers, and computer systems from business disruption, data/identity compromise, cyber fraud, and regulatory criticism. This role focuses on application and development security, application penetration testing capabilities, and cloud infrastructure/platform security.

Essential Functions:

Key Offensive Security responsibilities include:

• Conducting Red Team Exercises to simulate Advanced Persistent Threats (APTs) against web, mobile, and cloud-based applications to identify security weaknesses and assess the effectiveness of security controls.
• Perform in-depth manual and automated penetration testing against Cloud and On Prem Networks and applications to discover vulnerabilities and weaknesses that could be exploited.
• Work with development teams to identify potential security threats early in the software development lifecycle (SDLC) and provide recommendations to mitigate risks.
• Develop and enhance tools, scripts, and frameworks to automate testing and reporting processes, including setting up continuous integration (CI) security checks.
• Document findings in detailed, actionable reports for both technical and non-technical stakeholders. Communicate effectively with developers, engineers, and executive leadership on remediation strategies.
• Collaborate with Blue Team (defensive security), DevOps, and engineering teams to improve detection and response capabilities.
• Stay updated on the latest security threats, vulnerabilities, and exploits, and apply this knowledge to enhance Red Team operations.

Each Security Engineer is also responsible to cross-train and be familiar with other security functions as assigned:

• Security Monitoring & Response - Detects and responds to security events by identifying, reporting, mitigating, and recovering from security incidents.
• Security Control Engineering and Operations - Enables and protects business services with appropriate access, endpoint, network, data storage, and data loss prevention controls, including vulnerability and controls testing.
• Security Risk & Program Management - Assesses and advises technology and business groups by identifying, prioritizing, managing, and reporting security risk.
• Performs other duties as assigned.

Compliance with Laws & Regulations: 

• Responsible for complying with all of the Bank’s internal control policies and procedures.
• Responsible for understanding and complying with all laws and regulations to which the Bank is subject.
• Responsible for communicating problems in operations, noncompliance with the code of conduct, noncompliance with laws and regulations, policy violations, or illegal acts.

Education and Experience:

• Bachelor’s degree in computer science, Cybersecurity, Information Security, or a related field. Equivalent experience will also be considered.
• 5-8+ years of experience in application security, penetration testing, or Red Team operations.

Summary of Qualifications:

• Proficient in programming/scripting languages such as C#, Python, JavaScript, PowerShell, Bash, or other relevant to security testing.
• Strong Foundational Linux skills.
• Expertise in using security testing tools (e.g., Burp Suite, Nessus, C2 Frameworks, SQLMap, NMAP etc.).
• Strong knowledge of web application frameworks, APIs, microservices, and cloud environments (AWS, Azure, GCP).
• Familiarity with Secure Software Development Lifecycle (SSDLC) and DevSecOps practices.
• Familiarity with highly regulated industries, and specifically the banking industry (including FDIC regulations) is preferred.
• Demonstrated skills with security concepts, defense-in-depth strategies, security tools, and protocols.
• “White-hat” mentality, with a healthy sense of paranoia (security awareness and risk).
• Positive, inquisitive, can-do attitude.
• Self-starter, requires minimal oversight to perform as expected, work well independently and as part of a team.
• Comfortably perform well under pressure, deliver to commitments on tight deadlines.
• Meticulous attention to detail.
• Passion for cybersecurity and technology trends, news, and hacking techniques.

Work Environment/Physical Demands:

• May require some travel to company, partner, or vendor locations for various job duties.
• May require some lifting of up to 50 pounds to rack/maintain IT or security equipment

Security Responsibilities - General:

This classification requires heightened security awareness to safeguard the Bank's data, including customer non-public personal information.  This security level means that the job includes exposure to all categories of Bank data, including customer non-public personal information.

General Disclosure:

The above statements reflect the general information considered necessary to describe the principal functions of the job and should not be considered as a detailed description of all work requirements that may be inherent to the position. In addition, the incumbent may be called upon to personally handle projects or assignments not usually related to the position’s day-to-day activities. Understand and comply with laws and regulations that are applicable to my job function. Understand and comply with company policies and procedures that are applicable to my job function.