Threat Modelling Architect - Application Security at JP Morgan Chase (Jersey City, NJ)
Desired Skills and Experience
- Collaborating with all LoBs, create and actively maintain pipeline of Threat Models for Reference Architectures.
- Prioritize, create, review, present and socialize Threat Models in various firm-wide public forums.
- Ensure that Threat Models are understood and adopted by LoB IT Risk teams.
- Develop and maintain metrics for Threat Models adoption.
- Work with Cyber Threat Intelligence teams to build, maintain Threat Catalog and feed this info into various tools and processes used by Threat Modeling team.
- Perform manual Security Architecture Risk Analysis (SARA) / Threat Model Reviews (TMR) of applications and assess their designs against known and emerging threats.
- Prepare risk report for each SARA / TMR assessment explaining attack surface, threats, flaws and provide remediation guidance to mitigate listed threats.
- Communicate findings and remediation guidance to development teams in a concise and succinct manner.
- Learn and support internal Threat Model Review and Threat Model Tools and infrastructure.
- Acquire and maintain a working knowledge of relevant laws, regulations, and JPMC policies, standards, and procedures
- BS degree in computer engineering or equivalent.
- Subject Matter Expert in Application Security with 5+ years of experience in the following:
Security Design Reviews or Architecture Risk Analysis
Threat Model Patterns for applications.
Identifying top risks and vulnerabilities identified with OWASP, NIST, SANSâ¦
System software and organizational design standards, policies, and authorized approaches (e.g., ISO) relating to system/application design.
Software design tools, methods, and techniques * Security Design Reviews or Architecture Risk Analysis * Threat Model Patterns for applications. * Identifying top risks and vulnerabilities identified with OWASP, NIST, SANS⦠* System software and organizational design standards, policies, and authorized approaches (e.g., ISO) relating to system/application design. * Software design tools, methods, and techniques * Skilled in Threat Model methodologies and approaches such as STRIDE, Attack Trees * Skilled in recognizing vulnerabilities in application designs. * Knowledge of system and application security threats and vulnerabilities * Knowledge of network security architecture concepts, including topology, protocols, components, and principles (e.g., application of defense-in-depth) * Knowledge of application penetration testing principles, tools, and techniques. * CISSP, CSSLP certifications are desirable. * Ability to work under pressure in time critical situations * Ability to resolve conflict in a collaborative manner * Must be a driver of change and have strong influential skills * Excellent written and verbal communication skills, including the ability to independently and effectively participate in strategic discussions / meetings with peers across the firm. * Ability to communicate effectively with business representatives in explaining impacts and strategies and where necessary, in laymanâs terms