New York Seasonal Jobs

Job Information

EY Cybersecurity Application Security - Senior - Consulting - Location OPEN in Rochester, New York

At EY, you’ll have the chance to build a career as unique as you are, with the global scale, support, inclusive culture and technology to become the best version of you. And we’re counting on your unique voice and perspective to help EY become even better, too. Join us and build an exceptional experience for yourself, and a better working world for all.

EY’s Cybersecurity practice functions as a center of excellence to assist our National Consulting practices in planning, pursuing, delivering, and managing large, complex full lifecycle initiatives along with providing expertise in leading practices, methods, and resources in the space of Cybersecurity. The Attack Surface Management capability within the Cybersecurity practice is a critical competency that supports our clients across all industry sectors.

The opportunity

We currently are seeking a highly motivated Senior Consultant to work on client engagement teams in a wide variety of clients to deliver professional services and support strategic and global priority accounts.

In a rapidly changing IT environment, clients from all industries look to us for trusted solutions for their increasingly complex risks and vulnerabilities. As a member of our Cybersecurity team, you’ll be right at the heart of that goal, helping clients gain insight and context to their cyber threats and assessing, improving, and building security operations to mitigate these threats. You’ll get to use your technical and business skills to help us drive this mission and have an impact on cybersecurity at a global level.

Your key responsibilities

As a Senior Consultant on our Application Security team, you will work on teams as they help EY’s clients define technical and business requirements for application security solutions as well as develop business processes and policies related to controlling access to products and applications. You will help develop DevSecOps strategies as well as implementing solutions to provide application security and integrity.

Work with client personnel to enhance the Software Development Life Cycle (SDLC) by adding security to remove vulnerabilities and protect business logic. Establish a security program for the SDLC, capture the client's current application architecture, lead the overall application review process, identify application vulnerabilities, propose architectural changes, design, coordinate, and implement these changes at procedural and technological levels.

You’ll work alongside respected industry professionals, learning about and using the latest tools and techniques to identify and overcome some of the most relevant and pressing security issues in the world. It’s a highly specialized area, where you’ll learn highly sought-after technical skills, all while developing your relationship management abilities – often by working directly on-site with our clients.

Skills and attributes for success

  • Work with clients to analyze, evaluate, and enhance the effectiveness of their application/product security posture from design to deployment. Use knowledge of current application security best practices and industry trends to lead the implementation of application security solutions for our clients and support the clients in their desire to protect their business.

  • Provide technical execution of our key application security service offerings, including: conducting assessments of applications (web, cloud, mobile) using range of manual and automated source code review techniques; performing security architecture reviews of applications in design and production phases; identifying potential threats and attacks to applications systems through threat modeling; identifying security recommendations and aligning them to appropriate risk ranking systems; integrating application security tools and process in pipeline; agile penetration testing; evaluating, developing, enhancing and/or running application security programs for our clients; conducting the above with a specific focus on DevSecOps.

  • Perform detailed Quality Assurance (QA) review of web-based applications, identify and validate application vulnerabilities, and perform actual remediation at architectural and source code levels.

  • Excellent written and verbal communication skills to complete reports and other deliverables as specified in planning documentation. Ensure project documentation is complete and archived appropriately.

  • Act as a subject matter resource in specific programming languages and web application environments. Propose vulnerability risk level and estimated level of remediation effort. Propose code fix or architectural strategies to remediate identified vulnerabilities. Confirm appropriateness of a proposed remediation approach or propose viable alternatives and perform the actual remediation.

  • Collaborate with the engagement team to plan the engagement and develop work programs, timelines, and planning documentation. Work with the team to document the business processes dependent on IT. Ensure high-quality client service by directing daily progress of fieldwork, informing supervisors of engagement status, and managing staff performance.

To qualify for the role, you must have

  • Bachelor’s degree in Computer Science, Information Systems, Engineering, or related field and 2 years of related work experience, or a Master’s degree in Computer Science, Information Systems, Engineering, or a related field and 1-2 years of related work experience.

  • Must have 2 years of work experience performing of at least one of the following services in an independent manner:

  • Experience conducting application security vulnerability assessments and attacks including creation of proof-of-concept exploits and using either manual penetration testing and source code techniques; or automated commercial SAST/DAST/IAST tools.

  • Demonstrated experience with enterprise application development in one or more of the common development platforms: Java/J2EE, .NET/C#, C/C++, PHP, Python, or Flash.

  • Enterprise experience with application development for mobile platforms such as iOS, or usage of mobile frameworks such as Kony or PhoneGap is a plus.

  • Understanding of best practice methodologies in application security including OWASP and mobile.

  • Performing security architecture/threat modeling reviews on a wide range of applications and determining the appropriate security controls. Must be able to demonstrate experience by describing the types of applications that have been reviewed; the methodology followed as part of the review; the security controls evaluated as part of the review; sample findings that have been discovered; and sample remediation guidance that has been provided.

  • Evaluating application security programs for clients and developing key elements of the program as part of the enhancement process and developing internal vulnerability assessment and management processes.

  • Evaluating DevSecOps programs to determine how to embed security activities and working with clients to evolve their development programs to embed application security tooling and processes.

  • Ability to learn and adapt to integrate application security to different CI/CD systems and apply automation as needed

  • Must have an understanding of development methodologies with at least 1 year of experience working in Agile development, application security, or DevOps role, with experience in the following technologies:

  • Containers (Docker, Kubernetes, etc.)

  • Infrastructure as code (Vagrant, Docker, Ansible, Chef, Terraform, etc.)

  • Continuous integration (Jenkins, Bamboo, Hudson, etc.)

  • Integration of Security testing tools into pipeline

  • Defect tracking (Jira, Bugzilla, ServiceNow etc.)

  • Source code management (GitLab, GitHub, BitBucket, etc.)

  • QA Testing tools (nUnit, jUnit, Selenium, Cucumber, etc.)

  • Application security testing tools (SAST, DAST, IAST, OSA, etc.)

  • Various *nix distributions

  • Cloud environment (AWS, Azure etc)

  • Must have 1 years of experience in all the following:

  • Developing enterprise applications or scripts for security testing (security as code)

  • Demonstrated ability to learn and adapt to different CI/CD systems and leverage them for automation as needed

  • Performing manual application penetration testing

  • Performing manual security code reviews

  • For candidates with work experience aligned to conducting security architecture reviews the candidate must have 1 year of experience with cloud technologies and services, including at least 1 of the following:

  • Amazon Web Services (AWS)

  • Pivotal Cloud Foundry

  • Microsoft Azure

Ideally, you’ll also have

  • Experience on information security projects including development of project charters and plans; project execution and successful implementation of the planned solution

  • Experience in process definition, workflow design and process mapping

  • Excellent teaming skills with advanced written and verbal communication skills

  • A valid driver's license in the US and a valid passport required; willingness and ability to travel domestically and internationally to meet client needs

What we look for

We’re interested in intellectually curious people with a genuine passion for cybersecurity. With your broad exposure across Cybersecurity, we’ll turn to you to speak up with innovative ideas that could make a lasting difference not only to us – but also to the industry as a whole. If you have the confidence in both your presentation and technical abilities to grow into a leading expert here, this is the role for you. CyberFY23

What we offer

We offer a competitive compensation package where you’ll be rewarded based on your performance and recognized for the value you bring to our business. In addition, our Total Rewards package includes medical and dental coverage, pension and 401(k) plans, and a wide range of paid time off options. Under our flexible vacation policy, you’ll decide how much vacation time you need based on your own personal circumstances. You’ll also be granted time off for designated EY Paid Holidays, Winter/Summer breaks, Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.

  • Continuous learning: You’ll develop the mindset and skills to navigate whatever comes next.

  • Success as defined by you: We’ll provide the tools and flexibility, so you can make a meaningful impact, your way.

  • Transformative leadership: We’ll give you the insights, coaching and confidence to be the leader the world needs.

  • Diverse and inclusive culture: You’ll be embraced for who you are and empowered to use your voice to help others find theirs.

If you can demonstrate that you meet the criteria above, please contact us as soon as possible.

The exceptional EY experience. It’s yours to build.

EY | Building a better working world

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY is an equal opportunity, affirmative action employer providing equal employment opportunities to applicants and employees without regard to race, color, religion, age, sex, sexual orientation, gender identity/expression, national origin, protected veteran status, disability status, or any other legally protected basis, including arrest and conviction records, in accordance with applicable law.

EY is committed to providing reasonable accommodation to individuals with disabilities. If you are a qualified individual with a disability and either need assistance applying online or need to request an accommodation during the interview process, please call 1-800-EY-HELP3, type Option 2 (HR-related inquiries) and then type Option 1 (HR Shared Services Center), which will route you to EY’s Talent Shared Services Team or email SSC Customer Support at ssc.customersupport@ey.com .

DirectEmployers