Application Security Engineer
The Application Security Engineer ensures Comerica’s applications are secure from Cyber threats. Generally working with dynamic and static code analyzers the application security engineer will communicate vulnerabilities to development teams and collaborates as necessary with development teams to remediate these vulnerabilities. The individual will also be responsible for integrating tool output into development pipelines. Creates and shares proof of concept code to demonstrate application attacks. Onboards applications and vulnerability tracking into management system and reports on progress. Hosts threat modeling exercises based on STRIDE or other industry standard methodology to draw out vulnerabilities during design phase. Guides aspiring application security individuals with Static and Dynamic Code Analysis.
Core Responsibilities
Threat Modeling \& Design Reviews: Conduct risk assessments and threat modeling to identify potential vulnerabilities during the design phase of new applications. Vulnerability Management: Oversee the vulnerability management program, managing its implementation and remediation efforts. Secure Coding Practices: Promote and guide developers in adopting secure coding principles to build secure applications from the start. Security Testing: Perform and automate application security testing, including static and dynamic analysis (SAST/DAST), code reviews, and penetration testing.
Tool Integration: Implement and maintain various security tools, such as secret scanners, SCA (Software Composition Analysis), SAST, and DAST tools, within development pipelines. Developer Consultation: Act as a security consultant for development and product teams, providing technical security guidance and support. Security Training: Develop and deliver training materials to developers on security best practices and awareness.
Documentation: Create and maintain documentation for application security controls, standards, and guidelines.
Position Responsibilities:
Performs integration of static and dynamic code scan output into CI/CD pipeline.
Reviews of code analysis output and translation into findings.
Utilizes the finding management software and tracking remediations with the development teams.
Performs development and application team education resolution training.
Performs emerging threat and threat landscape research.
Provides forensic cyber event analysis.
Identifies means to reduce cyber-attack effectiveness. Looks for continuous improvement of detections for operationalization.
Threat Modeling and Emerging Vulnerability Detection
Leads threat modeling workshops to draw out vulnerabilities.
Champions industry standard Threat Modeling framework (such as STRIDE).
Updates detection tools as new vulnerabilities emerge.
Stays aware of new vulnerabilities to articulate their inner workings against Comerica's environment.
Company Expert Application Security Consulting
Works closely with partners in Cyber and Technology to solve security problems.
Serves as the escalation point for cyber incidents, events, and application vulnerability research.
Identifies and provides guidance to mitigate threat vectors unique to the shared cyber attack surface.
Proactively communicates with application development teams to illustrate vulnerabilities and solutions.
Planning and Organizing
Identifies \& evaluates projects, products, and solutions to enhance threat detection and other capabilities.
Provides expert guidance on highly complex, large projects to incorporate cyber and fraud detection capabilities and considerations.
Participates in industry working and information sharing groups.
Administration
Keeps management informed of status of threats, the threat landscape, and current incidents and events through appropriate reporting.
Actively participates on committees representing Cybersecurity. Keeps abreast of leading-edge technologies in the application security space.
Other duties as assigned.
Position Qualifications:
Bachelor's Degree from an accredited university in Computer Science, Mathematics, Information Technology, Big Data, Cyber Security or equivalent through a combination of education and/or technology experience or 12 years of technology experience
8 years of experience with progressive cyber security technology
5 years of experience in application security engineering2 years Dynamic/Static application security review 2 years web application development/object-oriented programming
2 years of experience working with attack vectors in OWASP top 10
1 year of experience in threat modeling
Preferred Qualifications:
Technical Skills: Proficiency in programming languages (e.g., Java, Python), secure coding practices, network protocols, operating systems, and common cybersecurity tools
Security Knowledge: Deep understanding of threat methodologies, vulnerability assessment techniques, and application security principles
Tools: Experience with security assurance tools, CI/CD pipelines, secret scanners, SCA, SAST, DAST, and other related platforms
Communication: Strong written and verbal communication skills to effectively convey technical security information to both technical and non-technical stakeholders
Analytical Skills: Excellent analytical and problem-solving abilities to identify, assess, and resolve complex security issues
Experience using SNYK and Rapid 7 Web Application Scanning
Work Best Category:Category C - Days in the office will either be designated days or will vary week to week from 2-5 days
Hours:8:00am - 5:00pm Monday - Friday
Salary:To Be Determined Based on Individual Experience About Comerica
We know our employees are critical to our overall success and we are dedicated to investing in their future. One of the ways we do this is to offer a comprehensive Total Rewards package designed to recognize and reward individual performance, as well support health, well-being, development and security for our colleagues and their family. Total Rewards consists of cash compensation, development and flexible benefit programs designed to meet individual needs today and in the future. Your salary will be commensurate with your work experience and our programs are reviewed regularly to ensure each remain competitive. We are proud to offer benefits such as health and welfare programs, strong retirement benefits, and generous paid time off programs. You and your eligible family members, including domestic partners and their children, can participate in medical, dental, and vision benefits, 401(k) and pension, income protection benefits such as life insurance, AD\&D, and supplemental health programs to offset unexpected health care expenses. We also have a variety of time off programs for things like vacation, sick time, disability, and parental leave. Eligibility for some programs varies based on employment status and tenure.
Upon offer, Comerica conducts a comprehensive background and fingerprint check. Your fingerprints will be used to check the criminal history records of the FBI and may be subscribed in the FBI’s Record of Arrest and Prosecution Background (“RAP Back”) service, which provides ongoing notification to the Company of any updates to your criminal history.
NMLS certification requirement: where applicable, a favorable background check screening, credit check, fingerprint check, and NMLS certification is required in accordance with the SAFE Act.
Comerica Incorporated (NYSE: CMA) is a financial services company headquartered in Dallas, Texas, and strategically aligned into three major business segments; the Commercial Bank, the Retail Bank, and Wealth Management. Comerica's colleagues focus on relationships, and helping people and businesses be successful. In addition to Texas, Comerica Bank locations can be found in Arizona, California, Florida and Michigan, with select businesses operating in several other states, as well as in Canada and Mexico.
Comerica is proud to be an Equal Opportunity Employer – disability/veteran.