Job DescriptionThreat Modeler / Security Architect – AI Security, Cloud & DevSecOps
Must Have Technical/Functional Skills
Security Architecture & Threat Modeling
• Threat Modeler and Security Architect with a strong development background.
• Experience in Artificial Intelligence, Machine Learning, and Data Science with expertise in enterprise architecture, AI product security, and digital transformation.
• Strong hands-on experience with cloud-native architectures, including AWS and GCP.
• Experience with secure AI system development, AI governance, and cybersecurity best practices.
• Experience with threat modeling frameworks, attack vectors, and vulnerability analysis, including:
• CAPEC
• ATT&CK
• STRIDE
Application Security & DevSecOps
• Experience with application security controls across:
• Web applications
• APIs
• Mobile applications
• AI systems
• Knowledge of security frameworks and standards, including:
• NIST 800-53
• NIST Cybersecurity Framework (CSF)
• OWASP ASVS
• Experience with Application Security design and DevSecOps practices.
• Full-stack knowledge of application architectures, including:
• Single Page Applications
• REST APIs
• SOAP APIs
• Mobile applications
• Experience with:
• Java
• JavaScript
• Mobile application development
Database, Cloud & Identity Security
• Knowledge of database architectures, including:
• Oracle
• SQL
• DB2
• NoSQL databases
• Experience with cloud security architecture, design, implementation, and operations.
• Exposure to IAM controls, including:
• OAuth 2.0
• OIDC
• JWT
• Strong understanding of cryptography controls:
• Data at rest
• Data in motion
Certifications
• Preferred certifications:
• CISSP
• CISM
• CSSLP
• CISA
• CRISC
• OSCP
Key Responsibilities
Threat Modeling & Security Assessment
• Conduct security risk assessments of applications based on system design and application code implementation.
• Develop and manage security governance processes and procedures for:
• Threat modeling programs
• Application security design
• DevSecOps programs
• Assist in developing threat modeling governance documentation.
• Develop reports for management related to:
• Residual risk
• Non-compliance
• Review security controls with application owners to ensure requirements are implemented.
• Validate security control implementation against scanning tool outputs to support auditability and verification.
Security Governance & Compliance
• Work with information security leadership to develop strategies and plans to enforce threat modeling and address control gaps.
• Monitor and track compliance with application owners to ensure security controls are implemented as planned.
• Assist application teams with security standard exceptions identified through threat modeling.
• Develop and define security metrics and criteria for information security programs.
Secure Design & Engineering Enablement
• Develop, maintain, update, and enhance:
• Secure design patterns
• Secure coding standards
• Threat libraries
• Socialize secure design patterns and secure coding standards with engineering teams.
• Provide threat modeling consultation and guidance to application teams.
• Enable strong developer and customer experience while collaborating with application teams.
• Develop innovative attack techniques to evaluate protective designs and existing mitigations.
Security Strategy & Architecture
• Participate in developing strategies for information security processes and programs.
• Document current and future state security capabilities using industry-leading technologies to improve IT risk management and data protection.
• Provide security awareness and education on industry trends, efforts, and statistics.
• Recommend resource types and skillsets required to address security project and process challenges.
• Support investment decisions through business cases and cost-benefit analysis.
Agile Delivery & Collaboration
• Facilitate Agile events to help teams deliver value incrementally and iteratively.
• Support Program Increment (PI) execution through team-level events and collaboration with Release Train Engineers (RTE).
• Support teams in achieving PI objectives.
• Provide consultation and advice to assess information security risks and implement controls to protect intellectual property and sensitive data.
RequirementsSailpoint