Altria Client Services LLC
Senior Application Security Program Lead (Finance)
Looking to provide strategic direction and lead the expansion and continued maturation of an Application Security Program for a Fortune 200 Company with some of the most iconic Brands? If you have six plus years of IT experience, a deep understanding of application security concepts and techniques, and demonstrable ability to enhance the maturity of application security capabilities, we want to speak with you! We are currently looking for a Sr. Application Security Program Lead to join our Threat Detection and Response group in Richmond, VA, but are open to remote work arrangements. The scope of the role will include policy, process, technology, and Managed Service Provider governance; requiring engagement with both technical and non-technical business partners from across the corporation. This role will also function as a key member of Altria's Computer Security Incident Response Team (CSIRT), providing effective incident response coordination as part of an on-call rotation.
What you will be doing:
• Driving the strategic direction and leading the expansion the Application Security program; efforts will include development and maintenance of application security roadmaps, concept of operations, standards, risk reporting and metrics.
• Leading and/or performing application security vulnerability assessments, penetration testing, executing SAST and DAST scans, focused on mobile and web applications.
• Collaborating with development teams to drive the onboarding of new and existing applications to Veracode SAST and DAST.
• Collaborating with partners (application owners, developers, BISOs, etc.) to ensure vulnerability findings are classified, documented, and managed appropriately. This includes thought leadership as an input into risk management of vulnerabilities that go un-remediated.
• Providing guidance to development teams on vulnerability identification, analysis, and remediation.
• Developing code review guidelines across a variety of programming languages.
• Leading the development and delivery of Application Security Training Programs.
• Handling supplier relationships to include engagement management, SOW generation, invoice management and ongoing operational governance.
• Functioning as a valued member of the CSIRT and providing 24x7 support for incident handling and coordinating when on call.
• Other security-related tasks that may be assigned.
We want you to have:
• Minimum 8 years IT experience with at least 5 years of experience in application security; specifically, with web and mobile application security.
• Demonstrated experience leading and maturing application security programs.
• Detailed understanding of common code review methods and standards; including OWASP standards and methodologies.
• Knowledge and familiarity with Software Development Lifecycles (SDLC); including both Waterfall and Agile methodologies.
• Detailed grasp of IT security concepts and Defense-in-Depth practices.
• Strong verbal/written communication, with ability to effectively interact with individuals at all levels of responsibility and authority; must be able to prioritize, delegate and foster the development of high performance teams to lead/support an environment driven by customer service and team work; Strong trouble-shooting and organizational skills and ability to work on multiple projects simultaneously; ability to participate in resource planning processes based on defined organizational plans.
• Demonstrated experience coordinating incident response activities.
Preferred Qualifications & Experience:
• BS in Cyber Security, Information Systems, Information Technology, Computer Science, Digital Forensics, or equivalent subject area
• Knowledge of common security requirements within application development environments and programming languages such as C#.net, ASP.NET, VB.Net, Ruby, HTML, CSS, JavaScript, Objective-C, Swift, Java, Python.
• Experience using security and software development tools (e.g. Veracode, Burpsuite, AzureDevOps, Visual Studio, Android Studio, xCode, Synopsys Security Testing Services, Software Composition Analysis software such as Blackduck and WhiteSource, Qradar).
• Industry Certifications preferred: GWAPT, GPEN, GWEB, CISSP or related.
Company Overview
Altria Group is a FORTUNE 200 company that leads the premier tobacco companies in the United States. Headquartered in Richmond, Virginia, Altria Group holds diversified positions across tobacco, alcohol, and cannabis. Our tobacco companies include some of the most enduring names in American business: Philip Morris USA, U.S. Smokeless Tobacco Company, John Middleton. We have 35 percent ownership of JUUL Labs, Inc., the nation's leading e-vapor company. And we have an 80 percent interest in Helix Innovations, which manufactures and markets on!, an oral tobacco-derived nicotine pouch product. We complement our total tobacco business with our ownership of Ste. Michelle Wine Estates and our significant equity investment in Anheuser-Busch InBev, the world's largest brewer. Altria's significant stake in Cronos Group, a leading global cannabinoid company, represents an exciting new global growth opportunity. At Altria, we celebrate the power of diverse teams working together to shape our future. We are inspired to bring our best because our unique strengths are valued. We believe our personal success and progress should be guided by Our Cultural Aspiration, a new articulation of what we value and who we aspire to be, collectively. Our Cultural Aspiration respects and complements individual identity, embracing each other's unique strengths, welcoming newcomers and developing the best, most inclusive and diverse teams. Over the next 10 years, we have the opportunity to make more progress on harm reduction than we have in the past 50 years. Join us as we work together to shape a better future for adult tobacco consumers, our employees, and our shareholders. Each Altria company is an equal opportunity employer.