Application Security Engineer

Be #InGoodHands with Metrobank

Here at Metrobank, we don't simply hire employees—we hone future leaders. We provide opportunities that enhance your skills and unlock your talents, helping you evolve into a well-rounded individual. We supply you with all the pieces you need to do your best work, unleashing your full potential to help you secure your future and lead a fulfilling career. And with Metrobank's strong heart for the community, you have the chance to give back and make worthwhile contributions to our nation's economic and social development. With Metrobank, a meaningful life is within your reach

Job Summary:

Develop and enforce security plans and standards; ensures that application security best practices are executed and implemented. Prepare the plans to deliver/implement the application security strategy prepared by the Security Architect. Provide support to the Security Architect in enterprise security projects including defining configuration standards, testing and implementation. Leads the research, evaluation and implementation of ISD security tools and small projects. Provide risk assessment support to CPSD and SQRD related to architecture for security concerns and/or security controls to be architected. Maintain and mature the security tools to ensure effective prevention and detection of incidents. Prepare the necessary documentation for project approval and implementation. Act as the subject matter expert on security of assigned technology domain/area (i.e., mobile application, web application, etc.).

Specific Duties & Responsibilities:

· Based on the approved IT security systems and application security architecture, develops detailed designs for implementation.

· Formulate, review and maintain IT security policies, technical standards, internal ISD procedures and guidelines related to securing the information processing environment, IT facilities and connected third party services/providers of the Bank.

· Provide support to CPSD and SQRD, serve as the security subject matter expert related to application security. Identify security design gaps in existing application systems and proposed architectures and recommend changes or enhancements.

· Evaluate cost-effective solutions and prepare the business case for IT security projects.

· Manage the testing of technical controls and monitors its implementation.

· Define and document security tool/device standard configuration parameters. Ensures that application security tools are securely configured and functions effectively and efficiently.

· Perform regular security configuration reviews, ensure efficacy of controls and use is optimized.

· Monitor and if necessary, assist ITG administrators in ensuring problems of security devices/systems are timely resolved.

· Review and/or evaluate vendor performance as part of VPRC process.

· Review installation and changes to CI/CD pipeline.

· Manages the implementation of baseline system security standards for application development.

· Collaborates and coordinates with other ISD Departments to ensure that holistic ISD service is provided to internal customers.

· Establish disaster recovery strategy of security tools implemented and ensures it is regularly tested for effectiveness.

· Stay up to date with latest security technology and trends, vulnerabilities and threats.

· Guide Infrastructure Security Specialists; review their work.

· Proactively works with the SAID Head in implementing programs for the continuous improvement of the bank's information security plans and strategies.

· Perform other information security governance, risk and compliance related duties and responsibilities as directed by the SAID Head.

Job Specifications:

· Graduate of any college degree in Computer Science or Information Security, or related technical field of expertise.

· Extensive/in-depth knowledge and understanding of secure coding principles and OWASP Top 10.

· Working experiences with designing/architecting CI/CD pipeline.

· Certification may include SANS GIAC, CISSP, CISM, GWAPT, or equivalent.

· At least 3+ years' experience in designing, implementing and maintaining application security solutions such as SAST, DAST, IAST, etc.

· Analytical and risk identification skills to analyze a variety of information security related risk situations and develop recommendations on the best course of action

· Scripting and programming – computer programming and scripting skills is an advantage.

· Strong written and oral communication skills to write technical reports on their assessments and communicate potential security weaknesses.

· Should also be abreast with security best practices and knowledge of common and emerging security threats.

· Self-starter, result-orientated in terms of disposition for corrective action to drive the remediation to reduce the risk exposure of the bank.

· Have good teamwork and collaboration skills: good team players with the ability to lead security initiatives.

· Good project management skills to lead and manage accomplishments of assigned tasks/projects within the predetermined time-frame

· Good communication skills: to effectively articulate and explain complex security topics in simple language and easy to understand concepts.