Application Security Senior Manager

Who We Are

Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we help clients with total transformation-inspiring complex change, enabling organizations to grow, building competitive advantage, and driving bottom-line impact.

To succeed, organizations must blend digital and human capabilities. Our diverse, global teams bring deep industry and functional expertise and a range of perspectives to spark change. BCG delivers solutions through leading-edge management consulting along with technology and design, corporate and digital ventures and business purpose. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, generating results that allow our clients to thrive.

What Youll Do

As the Senior Manager of Application Security, you will oversee all aspects of information security within the application development lifecycle. This role involves close collaboration with product and application teams to ensure that applications adhere to BCG security standards and incorporate robust, secure design and development practices. You will be actively involved in secure engineering, secure product design, and the use of application security tools, engaging with security champions across various levels of maturity.

Your responsibilities will also include developing and expanding the Application Security Assurance program. This involves scaling the program, integrating new application development teams, and enhancing the security of previously onboarded applications. Key focus areas will include managing application security testing tools (both commercial and open source), addressing vulnerabilities, refining scan policies and coverage, adopting new security tools as needed, and embedding these tools into the DevSecOps pipeline.

Following are key responsibilities for this role:

Serve as a subject matter expert in Application Assurance within Agile and DevSecOps environments, evolving application security processes in line with BCG security standards and industry best practices.

Conduct code reviews and automated static and dynamic security assessments of applications.

Promote the principle of "Secure By Design baked into CI/CD by automating test scenarios using both commercial and open-source tools, and enable development teams through a self-service model of security tooling and processes.

Lead the Security Champions network, disseminate relevant application security information to keep the network motivated and informed, and ensure balanced representation across all product and application teams.

Enhance Security Champions maturity by guiding them toward and facilitating adherence to the maturity model.

Collaborate with Security Champions to develop necessary templates, address issues, and manage artifacts.

Manage and enhance static, dynamic, and interactive application security testing tools; assist developers and architects in remediating security defects by providing coding guidance and remediation consultation.

Oversee, expand, and refine the Application Assurance program to integrate security and privacy from sprint zero, and implement the program across BCG.

Enable development teams to integrate security throughout the SDLC stages-planning, designing, development, and testing-and proactively engage with them on security best practices.

Coordinate with application developers, Security Champions, architects, and project managers to improve application security posture and achieve standard security conformance across the enterprise.

Support development teams in creating security unit and smoke test cases based on an applications threat model.

What Youll Bring

The desired candidate will have application security background with sound application development knowledge such as how developers work, what tools and technologies they use, and how they collaborate. Following are key skills for this role:

• Proficiency in secure coding practices with expert-level knowledge of security defects, particularly those related to the OWASP TOP 10 and SANS 25, and the ability to fix defects at the code level.
• Understanding of AI-generated code implications for security with the ability to assess and address security risks associated with AI-generated code, including identifying potential vulnerabilities that may not be evident through traditional code analysis methods.
• Integration of security practices in AI code generation processes ensuring proficiency in integrating security measures into the AI code generation lifecycle to maintain adherence to secure coding standards and practices.
• Strong automation mindset, capable of integrating security tools and processes into the DevSecOps cycle, including creating security requirements and value stream mapping to specific DevSecOps stages/tasks.
• Proficient in AWS cloud security governance, Docker, Kubernetes, and the integration of security tooling into DevOps environments.
• In-depth understanding of security within CI/CD processes, as well as security external to CI/CD.
• Familiarity with Web Application and API Protection (WAAP) tooling, focusing on providing guidance to ensure effective security measures for web applications and APIs.
• Expert-level capability in performing automated code and application scanning using both commercial and open-source tools across various frameworks and platforms, clearly understanding their advantages, challenges, and limitations.
• Ability to write automation programs, preferably in platform-independent languages, to integrate security tools according to the security value stream or to write security tests within CI/CD pipelines.
• Experience in evaluating, deploying, and managing best-in-class commercial and open-source application security testing tools at an enterprise scale.
• Security source code review skills across multiple languages and frameworks (JavaScript, Java, .NET, Node.js, Angular, technologies supporting SPA), and the ability to advise teams on secure coding guidelines.

Who Youll Work With

You will work in a fast-paced, intellectually intense, service-oriented environment to protect our applications and information systems. You will be a part of a team of security architects, enterprise architects, and security professionals working in support of consultants delivering business and management strategy to our clients through these applications and systems. You will work with application developers, data analysts, and system owners providing information security for applications and systems.

Additional info

YOU RE GOOD AT

This role will serve various teams and functions at the enterprise level, overseeing teams responsible for developing applications and products, with Information Security Risk Management (ISRM) as a major stakeholder. This position will be intensive in terms of change and communication, requiring both short-term and long-term engagement with business and technology owners across BCG. The following key attributes will help you succeed in this job:

• Strong belief in application security as a means to enhance product speed to market.
• Ability to articulate complex security topics in both business and plain language.
• Persuasive skills and the ability to negotiate in support of the program.
• Strong reasoning and analytical abilities, capable of creating mental visuals and comfortable handling ambiguity.
• A proactive attitude in removing roadblocks and enabling teams to achieve their objectives
• Providing guidance and mentorship to team members, fostering a culture of continuous learning and growth in application security practices.

Boston Consulting Group is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, age, religion, sex, sexual orientation, gender identity / expression, national origin, disability, protected veteran status, or any other characteristic protected under national, provincial, or local law, where applicable, and those with criminal histories will be considered in a manner consistent with applicable state and local laws.
BCG is an E - Verify Employer. Click here for more information on E-Verify.