Share this Job

Tech SME - Application Engineering Security

Date: Jan 13, 2021

Location: CHICAGO, IL, US, 60603-4013

Company: Grainger Businesses

Grainger is North America’s leading Maintenance Repair & Operating provider and we are the 10th largest North American E-commerce player with over 50% of our revenue coming from online transactions. We deliver technology solutions across the enterprise including our call centers, branch network, sales, and our various digital channels. The team supports over 1000 applications across the network and operates in an agile environment to deliver complex solutions quickly and seamlessly.

 

Primary Function

 

The Application Security Technical SME (Subject Matter Expert) provides guidance, enablement, workshops, education, and best practices to drive specific technical and architectural principles into an Engineering organization. This role serves as the foremost security representative who partners with development teams, leaders, and product lines to provide consultative guidance, insight, and feedback as new technologies or products are explored.  They act as hands-on teachers and guides to coach and upskill individuals and teams in modernizing security approaches. The Application Security Technical SME is responsible for the analysis, evaluation, and execution of an ideal application security offering that integrates development activities, information security, and the automated release methods within the CI/CD pipeline.  Ultimately, the successful candidate has a strong sense of development lifecycles and information security, all accompanied by a highly personable and engaging communication approach. 

 

*This role typically is located in our downtown Chicago office, but due to COVID-19 will be fully virtual until further notice.  Once this office location has a return to work plan, the team member will be required to be on-site.

 

Responsibilities:

 

From an Information Security interest, this role is expected to fully grasp the concepts behind security controls and how they apply to application development, secure infrastructure, and CI/CD environments.  This individual is accountable for identifying weaknesses in our security posture within the application or web space while defining methods to achieve security control requirements via automation or highly efficient means that further support timely delivery and minimal overhead. Other key responsibilities include:

  • Critical thinking and analysis in the security discipline space is essential, as this role will take the approach of identifying root cause of information security exposure across the enterprise, with or without obvious indicators of exposure.
  • Partnering with teams across the IT organization and helping to influence decisions which lead to a high standard of security.
  • The secure design, architecture, and implementation of new applications. This includes secure software development lifecycle (SDLC) practices which incorporate threat modeling and security testing.
  • Define and publish Application Security standards in a practical and consumable format. Ensure compliance with applicable security controls when writing such standards.
  • Present recommendations for review and validation at the Technical Assurance Group.
  • Conducting technology research for innovation, continuous improvement, and knowledge sharing for the Application Security space. Develops a subset of the technology strategy as a result of this research.
  • Teach, enable, and advocate key Architecture and Technical principles and implementation across all engineers inside the Product Engineering Organization.
  • Organizing training to improve employees’ knowledge and skills for future organizational growth as it relates to Architecture principles and standards.  
  • Facilitate and direct appropriate Centers of Enablement including initiation, administration, and retirement.
  • Assist in the development of training for all personnel related to the Application Security space. 
  • Drive innovation of new solution and integration-level patterns, tools and practices, managing risk and controlling “technology sprawl”.
  • Contribute to talent acquisition and upskilling in area of expertise.

 

 

Qualifications:

 

As the focal person for Application Security, the individual will have robust training, experience, and background in both Information Security and the Application Development lifecycles/approaches/languages / and tools. Qualifications include:

  • Bachelor’s Degree in Computer Science (related) or equivalent experience as a hands-on security architect/senior security engineer.
  • Previous experience in defining organization-wide security processes and methodologies, a proven leadership/influence style, customer-service oriented demeanor, problem-solving, effective reporting via metrics and indicators, and strong communications are all essential to this function.
  • 9+ years of IT Security Experience. Industry certifications are beneficial (i.e. CISSP, CEH, GPEN etc).
  • Highly technical and analytical expertise, with a proven deep background in security technology design, implementation, and delivery. This individual must be comfortable providing metrics, analysis, and quantitative/qualitative evidence when necessary to drive a security outcome.
  • The ability to code is a mandatory skill (this qualification is non-negotiable). Of particular importance is the ability to work with Delivery Infrastructure coding (e.g. Terraform, other required scripting such as Python), along with languages such as Java and Kotlin.
  • A comprehensive understanding of typical exploits and associated implications is essential to ensure observations and findings can be not only remediated but treated in accordance with the risk-ranked potential impact.
  • Deep understanding of frameworks such as MITRE ATT&CK and OWASP ASVS. Understand how to implement these into an Application Security program and assess the application threat landscape. Be able to use these frameworks in communication with stakeholders.
  • Ability to identify appropriate findings in vulnerability scan results and communicate with development teams on how to best remediate.
  • Understand Authorization Policy as Code practices and be able to "write" such policy as code. Possess the knowledge and ability to create Security Automations on AWS.
  • Understand OIDC/OAuth/SAML architecture and use patterns.
  • Demonstrated understanding of good software design/architecture principles.
  • Demonstrated coaching/teaching skills for small teams and individuals.
  • Ability to create training plans and materials for technical people.
  • Strong quantitative, analytical, problem-solving skills, including the ability to accumulate, organize and assimilate large amounts of information. 
  • Ability to work independently, plan, and prioritize work to meet commitments aligned with organizational goals. 
  • Mindset to continuously improve the technical knowledge of engineering partners 
  • Focus on continual self-improvement to maintain expertise 
  • Ability to lead/co-lead Risk Assessments and Security Reviews.
  • Ability to lead the technical aspects of an Incident Response.

 

Additional:

  • The Tech Lead will engage with Engineering leaders, Architects, Administrators, Engineers, Project and Program managers to educate, coach, advise, and improve the skills of people across the organization. 
  • Usually functions with high autonomy; require occasional guidance.
  • Requires a high level of initiative. Provides technical guidance and consultation to other architects and engineers.
  • Sponsors or facilitates Communities of Practice and Centers of Enablement.
  • Informs better decision making at all levels of the technology organization.
  • Reports directly to a Director in the Security Organization.
  • Demonstrated experience with geographically distributed teams in a matrixed environment.
  • Additional insights, experience or background in any of the following are also of great value: NIST, ISO 27001, Java Development, Kotlin, Static Code Analysis, Dynamic Code Analysis, Penetration Testing and Vulnerability Scanning, AWS, Containers and Micro-Services, CI/CD Pipelines, Agile, Sprints / Scrum Masters, GitHub, Black Duck, WhiteHat, Veracode, Jira, Docker, Cloud Security and design, and other related focuses.

 

Grainger is an Equal Opportunity Workplace and an Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or protected veteran status.