Cyber Security Application Specialist
- DEPARTMENT OF FINANCE
- Full-time
Location
MANHATTAN
- Exam may be required
Department
Cyber Security
Job Description
This vacancy has now expired.
SPECIAL NOTE: CANDIDATES WITH A PERMANENT CYBER SECURITY ANALYST OR COMPARABLE CIVIL SERVICE TITLE WITH SIMILAR DUTIES/RESPONSIBILITES ARE ENCOURAGED TO APPLY. PLEASE INCLUDE YOUR EMPLOYEE IDENTIFICATION NUMBER (EIN) WHEN APPLYING AND INDICATE IN YOUR COVER LETTER YOUR PERMANENT CIVIL SERVICE TITLE.
The NYC Department of Finance (DOF) is responsible for administering the tax revenue laws of the city fairly, efficiently, and transparently to instill public confidence and encourage compliance while providing exceptional customer service.
The Finance Information Technology (FIT) Division designs, builds, and supports all facets of DOF’s computer systems, including hardware, software, applications, infrastructure, telephone, and data security. FIT delivers and administers tax-related payment programs for the City of New York by providing the information technology solutions needed to achieve its mission of collecting revenue while ensuring an efficient and improved customer experience. FIT is also responsible for the systems and websites which enable citywide payments, land records, property assessment, parking adjudications, customer service, and the Sheriff’s public safety work.
As a member of Finance Cyber Security Governance team, the selected candidate will work within a multi-disciplined team to provide expertise on application security and DevSecOps initiatives to guide the application development community to utilize the best security practices. The candidate will work to help further develop and refine the Finance Cyber Security program into SDLC as that process matures.
Duties and responsibilities will include, but are not limited to:
- Conduct thorough assessment of applications to identify and analyze potential security vulnerabilities.
- Coordinate and perform penetration testing, code reviews, and other security tests to ensure applications meet security standards.
- Provide engineering and development direction for application security designs that solve business problems.
- Effectively use and manage security scanning tools to identify and mitigate security risks in applications.
- Evaluate and prioritize security risks, providing recommendations for remediation to enhance the overall security posture of applications.
- Develop, implement, and enforce security policies and best practices for application development and deployment.
- Work closely with development and IT teams to integrate security measures into the software development life-cycle and address security issues promptly.
- Actively participate in incident response activities, investigating and resolving security incidents related to applications.
- Collaborate with other teams to help architect solutions that are inherently secure.
- Promote security awareness among development teams, fostering a culture of security-conscious application development.
- Ensure applications comply with relevant security standards, regulations, and industry best practices.
- Maintain accurate documentation of security processes, assessments, and remediation efforts.
- Provide / partner to provide training sessions to educate development teams on secure coding practices and emerging security threats.
- Stay abreast of the latest security trends, vulnerabilities, and technologies, incorporating new knowledge into security strategies.
- Effectively communicate security risks and solutions to both technical and non-technical stakeholders, facilitating a clear understanding of potential threats.
- Contribute to cross-functional security initiatives, ensuring a holistic and integrated approach to overall organizational security.
- Knowledge of integrating software security into the software development cycle.
- Understanding how to develop secure coding guidelines and train developers on those guidelines.
- Ensure the number of software vulnerabilities are minimized by using static and dynamic analysis. Including Fuzz testing, and penetration testing of applications.
- Help develop integrity checks to ensure data is accurate. Knowledge on how to develop production security algorithms to help protect users and data.
- Experience working with container security.
- Provide DevOps security solution integration with various security test tools.
- Working with application teams on security solution design and implementation. Be a security subject matter expert and respond to any internal security engineering questions/request.
- Accessing security solutions proof of value and conducting proof of concepts.
- Educating other team members on application security standards and best practices.
- Participating in enterprise technology and functional planning processes to develop standards and best practices.
- Correctly balance security risk and product advancement.
- Perform proactive research to detect new attack vectors.
- Design and implement mitigations for common classes of bugs in a popular web framework before code is developed.
1. A baccalaureate degree, from an accredited college including or supplemented by twenty-four (24) semester credits in cyber security, network security, computer science, computer programming, computer engineering, information technology, information science, information systems management, network administration, or a pertinent scientific, technical or related area; or
2. A four-year high school diploma or its equivalent approved by a State’s department of education or a recognized accrediting organization and three years of satisfactory experience in any of the areas described in “1” above; or
3. Education and/or experience equivalent to “1” or “2”, above. College education may be substituted for up to two years of the required experience in “2” above on the basis that sixty (60) semester credits from an accredited college is equated to one year of experience. In addition, twenty-four (24) credits from an accredited college or graduate school in cyber security, network security, computer science, computer programming, computer engineering, information technology, information science, information systems management, network administration, or a pertinent scientific, technical or related area; or a certificate of at least 625 hours in computer programming from an accredited technical school (post high school), may be substituted for one year of experience.
- Bachelor's degree in computer science or related field. - A deep understanding of the web's architecture. - Ability to find flaws in software and can effectively communicate how to fix them. - Strong communication skills and accustomed to working closely with a product team. - The ability to think about problems from an out-of-the box perspective doesn't always default to industry norms. - Ability to think like an attacker and use that context to develop threat models. - At least 1 year of experience implementing DevOps toolchain (Jenkins, SonarQube, GitHub, Nexus, Code quality tools) implementation and automation. - Minimum 3 years of experience with scripting and automation. - Minimum 3 years on experience with web application and web service implementation. - Hands-on experience with application development is required. - Software engineering experience in production environment. - Experience making and defending sound technical arguments that incorporate relevant technical and business considerations and building consensus among stakeholders. - Familiarity with the OWASP framework and application security best practices. - Passion to work on newer technologies and explore the security domain. - Specific relevant experience should include training, writing, and presenting application security assessment reports. - Knowledge of web services security, (SOAP, XML Encryption,). - Knowledge of encryption technologies (web, database, and file). - Knowledge of Identity and Access management and its application in an enterprise. - Industry certification is a plus. - Strong written and verbal communication skills.
This position is also open to qualified persons with a disability who are eligible for the 55-a Program. Please indicate at the top of your resume and cover letter that you would like to be considered for the position through the 55-a Program.
As a prospective employee of the City of New York, you may be eligible for federal loan forgiveness programs and state repayment assistance programs. For more information, please visit the U.S. Department of Education’s website at https://studentaid.gov/pslf/.
New York City residency is generally required within 90 days of appointment. However, City Employees in certain titles who have worked for the City for 2 continuous years may also be eligible to reside in Nassau, Suffolk, Putnam, Westchester, Rockland, or Orange County. To determine if the residency requirement applies to you, please discuss with the agency representative at the time of interview.
The City of New York is an inclusive equal opportunity employer committed to recruiting and retaining a diverse workforce and providing a work environment that is free from discrimination and harassment based upon any legally protected status or protected characteristic, including but not limited to an individual's sex, race, color, ethnicity, national origin, age, religion, disability, sexual orientation, veteran status, gender identity, or pregnancy.
Job ID
681105
Title code
13633
Civil service title
CYBER SECURITY ANALYST
Title classification
Competitive-1
Business title
Cyber Security Application Specialist
Posted until
2024-10-26
- Experienced (non-manager)
Job level
02
Number of positions
1
Work location
375 Pearl Street
- Technology, Data & Innovation