Share this Job

Global Software Security Analyst Manager (741)

Date: Sep 9, 2021

Location: London, United Kingdom

Company: KPMG UK

ITS Global (Information Technology Services Global) is one of four pillars within KPMG’s Global Technology & Knowledge group. As such, ITS Global provides innovative components that KPMG’s business functions and member firms use to deliver client-facing solutions. ITS Global also provides the information protection and technology infrastructure that secures KPMG’s technology environment and connects its network of member firms. ITS Global works with the other GT&K pillars to provide KPMG technology solutions that leverage world-leading partnerships, disruptive digital capabilities and access to the firm’s collective intelligence

Role Summary
The Solution Review Software Security (Secure Code) Manager is responsible for leading a team of analysts in identifying and tracking software vulnerabilities, as well as recommending design changes to ensure the secure implementation of software solutions with the minimal degree of technical risk. The Secure Code Manager works to identify, triage, and provide remediation guidance of vulnerabilities within software applications and systems using a variety of tools, techniques, approaches and methodologies. The Secure Code Manager leads the planning, quality assurance, and governance for KPMG International’s Secure Code activity.

Key Accountabilities
% of Time Accountability:
30% Lead a team of subject matter experts for secure coding, exercising proficiency in multiple programming languages and developer frameworks (e.g. C#, ASP.NET, MVC, jQuery, TypeScript, Angular, and Bootstrap). Learn on the fly and train others to improve the team’s technical expertise. Monitor and observe the efforts of the team to ensure a consistent quality of analysis.
20% Apply in-depth experience and knowledge of foundational security concepts, software threats, threat modeling, vulnerability exploitation, and common application vulnerabilities (including, but not limited to SQL Injection, Cross-Site Scripting, and Session Management) to help development teams protect KPMG’s IT systems from attack.
20% Leverage familiarity with common application architectures (Micro Services, MVC, SOA+SPA, etc.) to detect vulnerabilities and suggest improvements.
15% Design and implement automated tools for static and dynamic analysis of software to find defects and vulnerabilities. For example: Fortify On-Demand, WebInspect, Qualys, and Application Insights. Integrate these tools into continuous integration (Build) pipelines in Azure DevOps to facilitate automatic scanning for Agile and DevOps teams. Audit/monitor compliance of development teams in their use of tools.

“Everyone a Leader” Competencies
Apply a strategic perspective: Uses diverse sets of inputs to develop a broad perspective on business and people issues
Build collaborative relationships: Connects with individuals, teams and organizations to build lasting, collaborative relationships that enable global, firm-wide growth
Foster innovation: Embraces a culture of innovation and experimentation to create value
Drive quality: Delivers high-quality products and exceptional service that provide value and exceed client expectations
Develop and motivate others: Engages teams, instills confidence, and coaches people to find meaning in their work and achieve exceptional results

Technical Skills & Qualifications
- Professional certifications in information technology security; Certified Information System Security Professional (CISSP) preferred
- Bachelor's degree in Computer Science(s), Information Technology/Security, Systems Engineering or similar area.
- A holistic understanding of attack vectors, current threats, and remediation strategies.
- Experience with computer forensics practices and procedures, basic investigations, and evidence handling is preferred.
- Conduct/Perform the hands-on review of software applications and systems from a security and privacy perspective; review and contribute to KPMG IT Standards used in the solution security review process and provide security recommendations and better practices regarding secure software development in waterfall, agile, and DevOps methods.

Experience in supporting software application and system code security assessments using automated tools such as Fortify On-Demand.
- Experience with computer forensics practices and procedures, basic investigations, and evidence handling is preferred.
- Background working on large-scale international projects and the ability to manage multiple processes and projects at once.
- Demonstrated ability to lead and collaborate with a globally dispersed, multi-cultural, and multi-discipline team while gaining and maintaining credibility with others.

Job Segment: Developer, Manager, Computer Science, Database, Security, Technology, Management