Manager, IT Security

The Manager, Application Security is responsible for strengthening our enterprise application security posture. This is a hands‑on individual contributor role responsible for performing penetration testing, secure code review, software composition analysis, container image assurance, and vulnerability assessments, as well as managing findings and supporting compliance with financial industry regulations. The role requires strong technical expertise, practical testing skills, and familiarity with regulatory requirements such as MAS TRM Guidelines and BNM RMiT Policy Document.

• Conduct penetration testing for web, mobile, and API applications.
• Perform secure code reviews, software composition analysis, and container image assurance to identify vulnerabilities early in the SDLC.
• Perform vulnerability assessments for applications, middleware, and supporting systems.
• Utilise industry‑standard tools such as Burp Suite, OWASP ZAP, Fortify, Checkmarx, Black Duck, Nessus, Aqua and Qualys.
• Triage, validate, and prioritise security findings from security assessments.
• Work with development, DevOps, and infrastructure teams to ensure timely remediation.
• Track and report remediation progress, ensuring closure within timelines required by regulatory instruments and Technology Security Standards.
• Provide guidance to developers and project teams on secure coding practices.
• Embed application security controls and tools (SAST, DAST, SCA, IAST) into CI/CD pipelines.
• Maintain security documentation and provide evidence for audits and regulatory reviews.
• Ensure compliance with internal policies, regulatory obligations, and industry best practices.
• Support audits, risk assessments, and regulatory inspections involving application security.

• Bachelor’s degree in Information Security, Computer Science, or related field.
• Professional certifications such as CREST, OSCP+, OSEP, or GPEN.
• 7+ years of IT security experience, with at least 4 years of direct experience in project‑based and annual penetration testing for web, mobile, and API applications.
• Experienced in secure code reviews, software composition analysis, container image assurance, and vulnerability assessments.
• Strong technical knowledge of web, mobile, and API security, including OWASP Top 10 and common attack vectors.
• Hands‑on expertise with security testing tools mentioned above.
• Working knowledge of MAS TRM, MAS Cyber Hygiene, and BNM RMiT requirements.