Senior Application Security Analyst - Vice President

As a Senior Application Security Analyst in the CISO organization at Citi, your role involves providing application security services to Citi businesses throughout the Software Development Life Cycle (SDLC). You will be responsible for performing deep-dive source code reviews for development organizations and collaborating with teams to ensure proper remediation. **Key Responsibilities:** - Perform Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). - Conduct manual source code reviews to identify vulnerabilities, including logical flaws, business logic bypasses, and insecure design patterns. - Review and validate automated testing results, prioritize actions for issue resolution, and perform application binary analysis when source code is not available. - Identify opportunities for automation, develop custom rules, standardize information security controls, and participate in engineering team calls to ensure proper scan coverage. - Design, develop, and implement AI/ML-driven utilities and models to enhance source code analysis and predict vulnerabilities. - Write formal security assessment reports for each application using the company's standard reporting format. - Direct the development and delivery of secure solutions, collaborate with application teams for timely remediation of security vulnerabilities, and provide guidance on secure coding best practices. - Manage security assessments for multiple projects simultaneously, ensuring project timelines are met. - Research and explore new testing tools and methodologies, and mentor junior team members. - Appropriately assess risk and drive compliance with applicable laws, rules, and regulations to safeguard Citigroup and its assets. **Qualifications:** - At least 12+ years of relevant experience in web development, source code review, or application security testing. - Deep understanding of application security principles, common vulnerabilities, and secure coding practices. - Development background in enterprise languages like Java/J2EE, C#, .NET, Python, JavaScript/Node.js. - Strong understanding of DevSecOps principles, CI/CD pipelines, and integrating automated security tools into SDLC. - Experience with commercial enterprise automated security testing tools such as Burp, Fortify, Checkmarx, Blackduck, Snyk. - Proficiency in leveraging SAST tools, manual code review techniques, and identifying complex vulnerabilities. - Experience in AI/ML development, including data modeling, algorithm design, and implementation using Python and relevant libraries/frameworks. - Familiarity with natural language processing (NLP) techniques for code analysis is a plus. - Professional certifications such as CISSP, CSSLP, GIAC, CEH are highly preferred or willingness to obtain. **Education:** - At least a bachelor's degree or equivalent experience. If you are interested in this role, please review the above responsibilities and qualifications to see if you are a good fit.,