Reporting to the Head of Digital Security and Privacy, the Application Security Specialist is responsible to develop, implement, and enforce policies and procedures of the organization's security and privacy program in accordance with applicable laws and regulations. He/she assists the businesses to setup processes and technical controls to support the data security and privacy strategy, ensures cloud platforms and digital solutions are secure and in accordance with business strategy.
The Application Security Specialist provides in depth knowledge of data protection, information security practice and helping define requirements and give guidance to internal and external stakeholders regarding security topics. He/she works in collaboration with Digital teams such as Architecture, DevOps, Application Support, Software Development, Technical Leads, Quality Assurance, etc., conducting risk assessments, code reviews, application security testing and coordinate penetration tests, vulnerability assessment, bug bounty program, etc.
The specialist should demonstrate experience of taking accountability and working in a global security and privacy program and the attitude to become trusted partner, pro-active, positive and provides high quality response. This role would be suitable for candidates with the right skills and mindset who also share the Roche values and make an active contribution to achieve our vision.
Develop and maintain an application security policy within the organization's software development lifecycle; design of security policy education, training, and awareness activities; monitoring compliance with security policy and applicable law; and coordinating investigation and reporting of security incidents.
Conduct information security risk management process of digital solutions and define the security requirements, follow up of security and privacy preventive/corrective actions of the digital solutions making sure are compliant with company’s requirements and are solved in a timely manner.
Conduct internal audits of existing platforms and systems to assess if they follow best practices and meet security requirements and applicable data privacy and health regulations.
Perform security review of solution design/architecture and propose changes if required, reviewing the security features of existing and new digital solutions to assess that they meet the security requirements for key health regulations, privacy law and Roche standards and policies.
Develop a DevSecOps mindset and process in the organization, helping to automate security testing within the software development lifecycle, manage code reviews, vulnerability scans and penetration test of our digital solutions.
Work closely with developers reviewing automated security scans of source code, analyzing vulnerabilities, etc. and helping to create and evaluate remediation action for those vulnerabilities, making sure findings are solved in a timely manner.
Manage penetration test activities of applications and infrastructure components, working with relevant teams to close all findings and confirm completion before going live.
Transform the current processes to be able to operate in a DevSecOps model depending on the maturity of the organization and/or product.
Documents and report any security incident in a timely manner to senior management and other relevant Roche security teams.
Be a security subject matter expert and respond to any security questions/request, specialized in application security.
Fostering application security awareness and education across RDC Global R&D and Digital.
Key Skills and Experience
Bachelor Degree in Computer Science, Telecommunications or equivalent Engineering.
7+ years of experience in Information Security Management, Compliance or Risk Management role in IT or Digital context.
7+ years of professional experience in international security teams, preferably in regulated environments of the diagnostics and/or pharmaceutical industry or card payment industry.
Direct experience in a large-scale cloud based services (including SaaS, PaaS, IaaS) and understand security challenges involved in cloud applications and services.
5+ years of software development or application security testing experience, and exposed to the OWASP Top 10: including analyzing, architecting fixes for, and leading developers in remediating code-level vulnerabilities
Experience working with automated DAST, SAST, IAST, and SCA scanning tools. Comfortable working in agile methodologies and DevOps/DevSecOps tools.
Deep understanding of web and mobile applications security threats and significant experience with vulnerability management and penetration testing against a wide variety of application layer platforms, including web, mobile and desktop solutions, above and beyond running automated tools.
Highly responsive with an ability to handle escalations quickly and professionally.
Ability to deliver reporting on and providing fixes to identified vulnerabilities at the code level in a developer friendly way.
Relevant Security Certifications is desirable: CISSP, CEH, OSCP, CCSP or any other SANS / GIAC certification, etc.
Excellent in English reading, writing, listening and speaking skills to support Global R&D and Digital teams and partners.
Ability to travel internationally as required up to 20% of the time.
Roche is an equal opportunity employer.Information Technology, Information Technology > IT Compliance
Posted 30+ Days Ago
We believe it’s urgent to deliver medical solutions right now – even as we develop innovations for the future. We are passionate about transforming patients’ lives. We are courageous in both decision and action. And we believe that good business means a better world.
That is why we come to work each day. We commit ourselves to scientific rigour, unassailable ethics, and access to medical innovations for all. We do this today to build a better tomorrow.
We are proud of who we are, what we do, and how we do it. We are many, working as one across functions, across companies, and across the world.
We are Roche.Suggested Jobs
Information Security Analyst
Apprentice SW Developer
.NET Senior Software Engineer
Senior SW Architect