Senior Associate – Application Security

Employment contract:

Permanent

Location:

Bengaluru, Karnataka, India

Job/mission:

INFORMATION TECHNOLOGY

Reference:

48319859

 

About BNP Paribas India Solutions:

Established in 2005, BNP Paribas India Solutions is a wholly owned subsidiary of BNP Paribas SA, European Union’s leading bank with an international reach. With delivery centers located in Bengaluru, Chennai and Mumbai, we are a 24×7 global delivery center. India Solutions services three business lines: Corporate and Institutional Banking, Investment Solutions and Retail Banking for BNP Paribas across the Group. Driving innovation and growth, we are harnessing the potential of over 10000 employees, to provide support and develop best-in-class solutions.

 

About BNP Paribas Group:

 BNP Paribas is the European Union’s leading bank and key player in international banking. It operates in 65 countries and has nearly 185,000 employees, including more than 145,000 in Europe. The Group has key positions in its three main fields of activity: Commercial, Personal Banking & Services for the Group’s commercial & personal banking and several specialised businesses including BNP Paribas Personal Finance and Arval; Investment & Protection Services for savings, investment, and protection solutions; and Corporate & Institutional Banking, focused on corporate and institutional clients. Based on its strong diversified and integrated model, the Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporates and institutional clients) to realize their projects through solutions spanning financing, investment, savings and protection insurance. In Europe, BNP Paribas has four domestic markets: Belgium, France, Italy, and Luxembourg. The Group is rolling out its integrated commercial & personal banking model across several Mediterranean countries, Turkey, and Eastern Europe. As a key player in international banking, the Group has leading platforms and business lines in Europe, a strong presence in the Americas as well as a solid and fast-growing business in Asia-Pacific. BNP Paribas has implemented a Corporate Social Responsibility approach in all its activities, enabling it to contribute to the construction of a sustainable future, while ensuring the Group’s performance and stability

 

 

Commitment to Diversity and Inclusion

At BNP Paribas, we passionately embrace diversity and are committed to fostering an inclusive workplace where all employees are valued, respected and can bring their authentic selves to work. We prohibit Discrimination and Harassment of any kind and our policies promote equal employment opportunity for all employees and applicants, irrespective of, but not limited to their gender, gender identity, sex, sexual orientation, ethnicity, race, colour, national origin, age, religion, social status, mental or physical disabilities, veteran status etc. As a global Bank, we truly believe that inclusion and diversity of our teams is key to our success in serving our clients and the communities we operate in.

 

About Business line/Function:

CIB Security & IT Risk provides information security services for the BNP Paribas Group. The IT Security Professional role is based in Mumbai and will work as part of a global team covering security risks and associated activities in multiple locations across EMEA, AMER & APAC.

 

 

 

Job Title:

Information Security Professional

Date:

 

Department:

CIB Security & IT Risk

Location:

Business Line / Function:

 

CIB Security & IT Risk

Reports to:

(Direct)

Grade: 

(if applicable)

 

(Functional)

 

Number of Direct Reports:

 

Directorship / Registration:

NA

 

Position Purpose

The purpose of the position is to help with the information security topics mentioned in the direct responsibilities.

 

Responsibilities

 

Direct Responsibilities

–      Knowledge of Secure Development methodologies and frameworks.

–      Experience in Network architecture, firewall configurations reviews

–      Knowledge of network , web application, API, infrastructure security concepts and protocols

–      Experience in threat modelling, understanding of STRIDE , DREAD and PASTA models

–      Experience in DevSecops principles and practices, CI/CD pipeline

–      Knowledge of containeriazation and orchestration technologies like Docker and Kubernetes

–      Experience in penetration testing and tools like AppScan, Webinspect, Fortify, AppSpider, BurpSuite, Qualys, Checkmarx, Coverity…

–      Well-versed in conducting Security Review, Assessments and providing recommendations.

–      Knowledge of OWASP, SANS standards.

–      Experience in Process Improvement, Controls Enhancement and Reporting.

–      Engaging with organization wide risk and control groups, including internal audit and territory control teams.

–      Identifying key risk trends, issues and other insights requiring further investigation and following up with Technology as appropriate.

–      Working with Technology stakeholders (including Production Support and Development teams) to identify the IT risks affecting the organization and formulating appropriate remediation strategies based on full understanding of business exposure and compensating controls

 

 

 

Contributing Responsibilities

–      Excellent understanding of development security and its implementation in systems: identification, authentication, access control and provisioning, alignment of jurisdiction to business process

–      Knowledge of single-sign-on security strategies (e.g. SAML, OAUTH2, SiteMinder etc.)

–      Excellent understanding of authentication related mechanisms (Kerberos, One Time Passwords, PKI)

–      Good understanding of cryptography and its practical uses within secure application development 

–      Familiarity with common security vulnerabilities (e.g. OWASP Top 10)

–      Strong technical skills required to understand vulnerabilities in detail and how to resolve/mitigate them. 

–      Knowledge of Secure Development methodologies and frameworks.

–      Experience in Network architecture, firewall configurations reviews

–      Knowledge of network , web application, API, infrastructure security concepts and protocols

–      Experience in threat modelling, understanding of STRIDE , DREAD and PASTA models

–      Experience in DevSecops principles and practices, CI/CD pipeline

–      Excellent knowledge of programming best practices, design patterns, etc.

–      Excellent problem solving skills, being able to develop approaches to complex technology and strategy problems, building consensus across diverse interest groups and working within constraints of practical delivery yet able to think beyond the requirements of immediate issues.

–      Well-developed written communication skills with the ability to summarise key issues, conclusions and recommendations in report form. Target audiences will include regulatory authorities and internal/external auditors.

 

Technical & Behavioral Competencies

–          Excellent knowledge of programming best practices, design patterns, etc.

–          Excellent problem solving skills, being able to develop approaches to complex technology and strategy problems, building consensus across diverse interest groups and working within constraints of practical delivery yet able to think beyond the requirements of immediate issues.

–          Well-developed written communication skills with the ability to summarize key issues, conclusions and recommendations in report form. Target audiences will include regulatory authorities and internal/external auditors.

–          Experience in penetration testing and tools like AppScan, Webinspect, Fortify, AppSpider, BurpSuite, Qualys, Checkmarx, Coverity, Sonatype, Blackduck…

–          Experience  in network architecture reviews, DevSecops principles, Threat modelling, Containerization and orchestration technologies like Docker and Kubernetes

–          Well-versed in conducting Security Review, Assessments and providing recommendations.

–          Knowledge of OWASP, SANS standards.

–          Experience in Process Improvement, Controls Enhancement and Reporting.

–          Excellent Inter personal and presentation skills

–          Strong in verbal and written communication

–          Ability to liaise with cross-functional stakeholders globally

–          Clear understanding of application and data security

–          Must be flexible, independent, self-motivated

–          Good analytical skills

Specific Qualifications (if required)

–       CEH, SSCP,CISSP, OSCP certified.

–       Technical Graduate (Computer Science) Preferable.

Skills Referential

Behavioural Skills: (Please select up to 4 skills)

Ability to collaborate / Teamwork

Communication skills – oral & written

Ability to share / pass on knowledge

Active listening

Transversal Skills: (Please select up to 5 skills)

 

Ability to understand, explain and support change

Analytical Ability

Ability to develop and adapt a process 

Ability to develop and leverage networks

Ability to manage / facilitate a meeting, seminar, committee, training…

Education Level: 

 Bachelor Degree or equivalent

Experience Level

At least 7 years

Other/Specific Qualifications (if required)