Desired Skills and Experience

  • Collaborating with all LoBs, create and actively maintain pipeline of Threat Models for Reference Architectures.
  • Prioritize, create, review, present and socialize Threat Models in various firm-wide public forums.
  • Ensure that Threat Models are understood and adopted by LoB IT Risk teams.
  • Develop and maintain metrics for Threat Models adoption.
  • Work with Cyber Threat Intelligence teams to build, maintain Threat Catalog and feed this info into various tools and processes used by Threat Modeling team.
  • Perform manual Security Architecture Risk Analysis (SARA) / Threat Model Reviews (TMR) of applications and assess their designs against known and emerging threats.
  • Prepare risk report for each SARA / TMR assessment explaining attack surface, threats, flaws and provide remediation guidance to mitigate listed threats.
  • Communicate findings and remediation guidance to development teams in a concise and succinct manner.
  • Learn and support internal Threat Model Review and Threat Model Tools and infrastructure.
  • Acquire and maintain a working knowledge of relevant laws, regulations, and  JPMC policies, standards, and procedures
  • BS degree in computer engineering or equivalent.
  • Subject Matter Expert in Application Security with 5+ years of experience in the following:

Security Design Reviews or Architecture Risk Analysis

Threat Model Patterns for applications.

Identifying top risks and vulnerabilities identified with OWASP, NIST, SANS…

System software and organizational design standards, policies, and authorized approaches (e.g., ISO) relating to system/application design.

Software design tools, methods, and techniques * Security Design Reviews or Architecture Risk Analysis * Threat Model Patterns for applications. * Identifying top risks and vulnerabilities identified with OWASP, NIST, SANS… * System software and organizational design standards, policies, and authorized approaches (e.g., ISO) relating to system/application design. * Software design tools, methods, and techniques * Skilled in Threat Model methodologies and approaches such as STRIDE, Attack Trees * Skilled in recognizing vulnerabilities in application designs. * Knowledge of system and application security threats and vulnerabilities * Knowledge of network security architecture concepts, including topology, protocols, components, and principles (e.g., application of defense-in-depth)   * Knowledge of application penetration testing principles, tools, and techniques. * CISSP, CSSLP certifications are desirable. * Ability to work under pressure in time critical situations * Ability to resolve conflict in a collaborative manner * Must be a driver of change and have strong influential skills * Excellent written and verbal communication skills, including the ability to independently and effectively participate in strategic discussions / meetings with peers across the firm. * Ability to communicate effectively with business representatives in explaining impacts and strategies and where necessary, in layman’s terms