Security Architecture Review—Solution Delivery Lead
Deloitte’s Cyber Risk Services help our clients to be secure, vigilant, and resilient in the face of an ever-increasing array of cyber threats and vulnerabilities. Our Cyber Risk practice helps organizations with the management of information and technology risks by delivering end-to-end solutions using proven methodologies and tools in a consistent manner. Our services help organizations to address, in a timely manner, pervasive issues, such as identity theft, data security breaches, data leakage, cyber security, and system outages across organizations of various sizes and industries with the goal of enabling ongoing, secure, and reliable operations across the enterprise.
Work you will do
As a Solution Delivery lead in the hybrid operate business, you are responsible for adhering to the defined operating procedures and guidelines in operating the application security services in the Managed Services model, which includes the following:
· Oversees projects, guides the team on a day-to-day basis and ensures that assigned tasks and responsibilities are fulfilled in a timely fashion
· Demonstrates understanding of business and information technology service management processes
· Deep knowledge of application security engineering principles and helping client’s development team to follow secure development practices which includes primarily monitoring and performing the security design review, architecture review, threat modeling.
· Review and assess the security architecture and design of software applications, infrastructure, and network systems.
· Lead and conduct in-depth reviews of application security architectures, with a focus on cloud-based environments (e.g., AWS, Azure, Google Cloud).
· Identify weaknesses, flaws, and vulnerabilities in the security architecture, considering industry best practices and regulatory requirements.
· Assess the design of cloud services and resources, identifying potential security vulnerabilities and risks.
· Ensure that security controls, encryption methods, and authentication mechanisms are appropriately integrated into the architecture.
· Provide recommendations and guidelines for enhancing the security of the architecture, such as recommending secure design patterns and access control mechanisms.
· Understand application architecture controls & design based on security standards and regulations such as NIST, PCI-DSS, ISO etc.
· Well versed with the application deployment and configuration baselines and understanding of how the application environment operates in a secure environment and how exceptions are handled during operations.
· Understand security architecture concepts including topology, protocols, components, and principles to perform threat modeling.
· Facilitate use of technology-based tools or methodologies to continuously improve the monitoring, management, and reliability of the service.
· Be a liaison between the Application development and infrastructure team and integrate the processes between infrastructure monitoring and operations processes with the secure development/testing and management processes.
· Identifying, researching, and analyzing application security events which may include emerging and existing persistent threats to the client's environment; and
· Conduct comprehensive threat modeling exercises to identify potential security vulnerabilities and risks within software applications, systems, and networks.
· Collaborate with development teams, architects, and other stakeholders to understand the design and functionality of systems, enabling you to assess potential threats accurately.
· Create threat models and diagrams to document identified security threats and their possible impact on the organization.
· Analyze and prioritize threats based on their potential impact and likelihood, providing actionable recommendations for mitigation.
· Prepare detailed reports and documentation summarizing the results of application security architecture reviews for cloud-based systems.
· Communicate findings and recommendations clearly to technical and non-technical stakeholders.
· Create and maintain security guidelines, policies, and procedures for cloud application security.
The team
Deloitte’s Application Security Managed Services is a standardized process, to help clients with large development functions, and application dependencies for their day-to-day operations. The process enables the client to address key vulnerabilities and risks and with their various application environment at different stages of their development lifecycle.
At the core of our Application Security Managed Services Team professionals’ monitors, collects and analyses security related issues on application environment (both at code level and infrastructure level), that may potentially become a threat to an organization. This detection of application threats/vulnerabilities is carried out using a unique blend of our application security testing and monitoring tools and intelligence data collected through our vast experience within the Advice and Implement business.
Required:
· Approx 5-7 years’ experience in application security testing, deployment, and security management phases
· A strong foundation in security principles and concepts, including confidentiality, integrity, availability, authentication, authorization, encryption, and secure coding practices.
· Proficiency in threat modeling methodologies and tools to identify and assess potential security threats and vulnerabilities in software and systems.
· Deep interest in application specific vulnerabilities, infrastructure knowledge.
· Experience in collecting, analyzing, and interpreting qualitative and quantitative data from defined application security services related sources (tools, monitoring techniques etc.)
· In-depth knowledge of security architecture design and best practices, including secure design patterns, access control, and data protection
· Knowledge of cloud security frameworks (e.g., AWS Well-Architected Framework, Azure Security Benchmark) to assess and improve security measures.
· Familiarity with security standards and frameworks, such as OWASP Top Ten, NIST Cybersecurity Framework, ISO 27001, and CIS Controls.
· Ability to conduct risk assessments to evaluate the potential impact and likelihood of security risks and provide risk mitigation strategies.
· Familiarity with security testing tools like vulnerability scanners, penetration testing tools, and code analysis tools.
· Understanding of network and system architecture, protocols, and configurations to assess security at the infrastructure level.
· Understanding of industry-specific regulations, compliance requirements, and security challenges relevant to the organization's sector (e.g., healthcare, finance, or government).
· Awareness of the current threat landscape, emerging security threats, and attack vectors.
· Familiarity with software development methodologies (e.g., Agile, DevOps) to integrate security into the development process.
· Experience with performing application threat modeling using tools and manual techniques
· Understanding of leading vulnerability scoring standards, such as CVSS, and ability to translate vulnerability severity as security risk.
· Knowledge of cloud environments and deployment solutions such as server less computing.
· Possession of excellent oral and written communication skill.
Preferred:
· Bachelor’s in computer science or other technical fields;
· Experience in conducting security Architecture reviews and thread modeling on cloud and onprem solutions.
· Understanding of security essentials including networking concepts, defense strategies, and current security technologies
· Ability to research and characterize security threats to include identification and classification of application related threat indicators;
· Must have cloud security specialization in Security any relevant certifications, such as Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), or Certified Information Systems Auditor (CISA), are a plus
Shift Timings:
- Rotational night shifts are a pre-requisite
- The role may require Permanent night shifts basis Client/Project demands
·
Security Architecture Review—Solution Delivery Lead
Deloitte’s Cyber Risk Services help our clients to be secure, vigilant, and resilient in the face of an ever-increasing array of cyber threats and vulnerabilities. Our Cyber Risk practice helps organizations with the management of information and technology risks by delivering end-to-end solutions using proven methodologies and tools in a consistent manner. Our services help organizations to address, in a timely manner, pervasive issues, such as identity theft, data security breaches, data leakage, cyber security, and system outages across organizations of various sizes and industries with the goal of enabling ongoing, secure, and reliable operations across the enterprise.
Work you will do
As a Solution Delivery lead in the hybrid operate business, you are responsible for adhering to the defined operating procedures and guidelines in operating the application security services in the Managed Services model, which includes the following:
· Oversees projects, guides the team on a day-to-day basis and ensures that assigned tasks and responsibilities are fulfilled in a timely fashion
· Demonstrates understanding of business and information technology service management processes
· Deep knowledge of application security engineering principles and helping client’s development team to follow secure development practices which includes primarily monitoring and performing the security design review, architecture review, threat modeling.
· Review and assess the security architecture and design of software applications, infrastructure, and network systems.
· Lead and conduct in-depth reviews of application security architectures, with a focus on cloud-based environments (e.g., AWS, Azure, Google Cloud).
· Identify weaknesses, flaws, and vulnerabilities in the security architecture, considering industry best practices and regulatory requirements.
· Assess the design of cloud services and resources, identifying potential security vulnerabilities and risks.
· Ensure that security controls, encryption methods, and authentication mechanisms are appropriately integrated into the architecture.
· Provide recommendations and guidelines for enhancing the security of the architecture, such as recommending secure design patterns and access control mechanisms.
· Understand application architecture controls & design based on security standards and regulations such as NIST, PCI-DSS, ISO etc.
· Well versed with the application deployment and configuration baselines and understanding of how the application environment operates in a secure environment and how exceptions are handled during operations.
· Understand security architecture concepts including topology, protocols, components, and principles to perform threat modeling.
· Facilitate use of technology-based tools or methodologies to continuously improve the monitoring, management, and reliability of the service.
· Be a liaison between the Application development and infrastructure team and integrate the processes between infrastructure monitoring and operations processes with the secure development/testing and management processes.
· Identifying, researching, and analyzing application security events which may include emerging and existing persistent threats to the client's environment; and
· Conduct comprehensive threat modeling exercises to identify potential security vulnerabilities and risks within software applications, systems, and networks.
· Collaborate with development teams, architects, and other stakeholders to understand the design and functionality of systems, enabling you to assess potential threats accurately.
· Create threat models and diagrams to document identified security threats and their possible impact on the organization.
· Analyze and prioritize threats based on their potential impact and likelihood, providing actionable recommendations for mitigation.
· Prepare detailed reports and documentation summarizing the results of application security architecture reviews for cloud-based systems.
· Communicate findings and recommendations clearly to technical and non-technical stakeholders.
· Create and maintain security guidelines, policies, and procedures for cloud application security.
The team
Deloitte’s Application Security Managed Services is a standardized process, to help clients with large development functions, and application dependencies for their day-to-day operations. The process enables the client to address key vulnerabilities and risks and with their various application environment at different stages of their development lifecycle.
At the core of our Application Security Managed Services Team professionals’ monitors, collects and analyses security related issues on application environment (both at code level and infrastructure level), that may potentially become a threat to an organization. This detection of application threats/vulnerabilities is carried out using a unique blend of our application security testing and monitoring tools and intelligence data collected through our vast experience within the Advice and Implement business.
Required:
· Approx 5-7 years’ experience in application security testing, deployment, and security management phases
· A strong foundation in security principles and concepts, including confidentiality, integrity, availability, authentication, authorization, encryption, and secure coding practices.
· Proficiency in threat modeling methodologies and tools to identify and assess potential security threats and vulnerabilities in software and systems.
· Deep interest in application specific vulnerabilities, infrastructure knowledge.
· Experience in collecting, analyzing, and interpreting qualitative and quantitative data from defined application security services related sources (tools, monitoring techniques etc.)
· In-depth knowledge of security architecture design and best practices, including secure design patterns, access control, and data protection
· Knowledge of cloud security frameworks (e.g., AWS Well-Architected Framework, Azure Security Benchmark) to assess and improve security measures.
· Familiarity with security standards and frameworks, such as OWASP Top Ten, NIST Cybersecurity Framework, ISO 27001, and CIS Controls.
· Ability to conduct risk assessments to evaluate the potential impact and likelihood of security risks and provide risk mitigation strategies.
· Familiarity with security testing tools like vulnerability scanners, penetration testing tools, and code analysis tools.
· Understanding of network and system architecture, protocols, and configurations to assess security at the infrastructure level.
· Understanding of industry-specific regulations, compliance requirements, and security challenges relevant to the organization's sector (e.g., healthcare, finance, or government).
· Awareness of the current threat landscape, emerging security threats, and attack vectors.
· Familiarity with software development methodologies (e.g., Agile, DevOps) to integrate security into the development process.
· Experience with performing application threat modeling using tools and manual techniques
· Understanding of leading vulnerability scoring standards, such as CVSS, and ability to translate vulnerability severity as security risk.
· Knowledge of cloud environments and deployment solutions such as server less computing.
· Possession of excellent oral and written communication skill.
Preferred:
· Bachelor’s in computer science or other technical fields;
· Experience in conducting security Architecture reviews and thread modeling on cloud and onprem solutions.
· Understanding of security essentials including networking concepts, defense strategies, and current security technologies
· Ability to research and characterize security threats to include identification and classification of application related threat indicators;
· Must have cloud security specialization in Security any relevant certifications, such as Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), or Certified Information Systems Auditor (CISA), are a plus
Shift Timings:
- Rotational night shifts are a pre-requisite
- The role may require Permanent night shifts basis Client/Project demands
·