Front End Application Security Architect
London, England, United Kingdom
Applications have closed
Nutmeg
Nutmeg is an online investment management service. Invest money using our General Investment Account, ISA, Pension, Lifetime ISA or Junior ISA.Nutmeg is the UK’s largest truly digital wealth manager, offering clarity and transparency to both seasoned and first-time investors as they seek to achieve their financial goals. Launched in September 2012, Nutmeg now manages over £4.5bn on behalf of over 200,000 clients who have sought the powerful combination of an easy-to-use, adaptable investment service and market-leading human advice. Nutmeg is a J.P. Morgan company offering investments and digital wealth management services to consumers, complementing Chase’s digital bank in the UK.
At a time when people are seeking the closer relationship with money that technology can provide, Nutmeg:
- Has a team of over 240 employees
- Offers award winning stocks and shares ISA, Junior ISAs and Lifetime ISAs, as well as a personal pensions and general investment accounts
- Provides financial planning and advice alongside our award winning client services team
*We offer flexible working*
Job in a nutshell:
We run a pure AWS-based cloud environment and deliver features using a continuous delivery approach. Our platform comprises a mix of proprietary and open-source products fully running in Kubernetes.
Our engineering team is growing rapidly and we’re looking for experienced candidates for the position of application security architect for products security.
As an application security architect, you will perform application security reviews to identify application design flaws; Provide hands-on technical security guidance to protect our products from known and emerging threats, vulnerabilities, and intrusion attacks
What you’ll be doing, in collaboration with broader security and engineering teams:
- Maintain an in-depth understanding of application security standards for digital platforms and technologies (Front End - Node/React , microservices, APIs (SOAP, REST & GraphQL) and AWS cloud services)
- Define and evolve application security architecture and patterns based on enterprise reference architecture and threat landscape
- Create security use, misuse, abuse cases, security test plans and acceptance criteria for product features
- Integrate static and dynamic vulnerability checks for applications, open-source libraries, container registries, Kubernetes runtime workloads and APIs
- Champion secure development practices and lead collaboration with engineers to identify application security risk mitigation techniques / priority fixes
- Define/Maintain guidelines, standards, and baselines for application security and secure deployments
- Research on future security technologies and develop secure migration roadmaps
- Secure integration of digital application platforms with partner technology solutions
Requirements
- Passion to learn and to contribute to ongoing maturity of security engineering function and development of the team
- Cross-team collaboration and communication skills - Make it easy for Product, Engineering and non-technical audience to embed appropriate level of security into ways of working
- Secure Design – Threat modelling and risk assessment tools, Security requirements engineering, Security architecture patterns (e.g. OAuth 2.0 / OIDC security standards, Microservices), Security and Privacy by Design Principles (Tools - IriusRisk, Security Compass, ThreatModeler, Threagile)
- Security Verification – Architecture reviews, Requirements-driven testing, automation and embedding of security testing tools and frameworks into CI/CD tool chains
- Security defect and vulnerability management (application and API pen testing exposure) - OWASP Top10/ SANS Top 25 Software Errors (Dev lang / Frameworks - JS, React, Ruby, )
- Familiarity with DevSecOps frameworks – OpenSAMM v2/ DSOMM, NIST Cyber Security Framework (CSF), NIST 800-53, OWASP ASVS/MASVS/MASTG (Webapps/Mobile Apps)
- Exposure to architecting secure cloud services using AWS Well-architected framework (Securely integrating cloud components into a web application)
- Strong understanding of application attack methods, kill chain disruption techniques (MITRE Framework)
- Solid understanding of the major global regulations, legislative and legal requirements (FCA, EU-GDPR)
You might also have: (Desirable skills)
- Desirable certifications / Security Courses – SANS GIAC Certified Web Application Defender
Tags: APIs Application security Automation AWS CI/CD Cloud DevSecOps GDPR GIAC Kubernetes Microservices NIST OWASP Pentesting Privacy Risk assessment Ruby SANS Vulnerabilities Vulnerability management
Perks/benefits: Flex hours Transparency
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Security Operations Engineer jobs
- Open Information Security Specialist jobs
- Open Senior Cyber Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Cyber Security Architect jobs
- Open Staff Security Engineer jobs
- Open Cyber Security Specialist jobs
- Open Principal Security Engineer jobs
- Open Product Security Engineer jobs
- Open Senior Information Security Analyst jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open IT Security Analyst jobs
- Open Cybersecurity Analyst jobs
- Open Chief Information Security Officer jobs
- Open Consultant SOC / CERT H/F jobs
- Open Cybersecurity Consultant jobs
- Open Senior Information Security Engineer jobs
- Open Security Specialist jobs
- Open Cybersecurity Specialist jobs
- Open Senior Penetration Tester jobs
- Open Sr. Security Engineer jobs
- Open Security Researcher jobs
- Open Senior Security Architect jobs
- Open Security Operations Analyst jobs
- Open Clearance-related jobs
- Open Windows-related jobs
- Open ISO 27001-related jobs
- Open Application security-related jobs
- Open Network security-related jobs
- Open Agile-related jobs
- Open Pentesting-related jobs
- Open Vulnerability management-related jobs
- Open GCP-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open IDS-related jobs
- Open DevOps-related jobs
- Open Security Clearance-related jobs
- Open Malware-related jobs
- Open Kubernetes-related jobs
- Open EDR-related jobs
- Open CEH-related jobs
- Open IPS-related jobs