Application Security Solution Architect

Company Introduction: We're home to Asia's most dynamic and vibrant capital markets. Connecting capital, ideas, inspiration and innovation for deeper, more diverse and liquid global capital markets; providing greater choice and opportunity for our customers, each and every day. HKEX is a purpose-driven company. Our commitment to the long-term development of our business and our markets is articulated in our purpose: "To Connect, Promote and Progress our Markets and the Communities they support for the prosperity of all." Job Summary: The Application Security Solution Architect (ASSA) for HKEX Group is accountable for translating group-wide information and cyber security strategy, policy and control requirements into secure application solutions. They will focus on application-level security architecture, design, processes and controls. The role is tasked with balancing the unique business objectives of a global exchange against the inherent security threat and risk profile applicable to critical national infrastructure. Job Duties: Job Responsibilities Architectural Oversight: Ensure that the information and cybersecurity architecture and solution designs for applications are engineered according to specifications and within acceptable risk tolerance levels, focusing on application-specific contexts. Support Development Teams: Collaborate with development teams to implement application-specific threat modeling, secure coding practices, and the effective use of application security assurance tools to enhance the security of software products. Integration Architecture Recommendations: Provide expert recommendations on application-level integration architecture, focusing on secure coding practices, web application firewalls, software composition analysis, static and dynamic code scanning, Software Bill of Materials (SBOM), and security measures within CI/CD pipelines, all crucial for securing application deployments. Application Security Assurance Tool Experience: Leverage experience with application security assurance tools, including onboarding, triaging issues, and assisting developers, to ensure that applications are built and maintained with robust security measures. Collaboration with Security Engineering: Work closely with the Security Engineering team to integrate security solutions into application development processes, ensuring that security is a fundamental aspect of the application lifecycle. Requirement Creation and Review: Develop and review functional and non-functional security requirements specifically tailored for application projects, ensuring these requirements enhance the security posture of applications. System Architecture Review: Conduct thorough reviews of application architecture and designs to ensure that all solutions have undergone appropriate security assurance and meet established security acceptance criteria, thereby protecting applications from vulnerabilities. Security Reference Patterns Development: Create and present application security reference patterns and technical security standards that guide secure application development, ensuring compliance with the Information Security Policy. Data Security: Create or review implementation of data layer protective and detective control patterns for data storage technologies, from high level SAAS applications to specific technologies, such as Databases, Kafka queues, object storage systems. Kubernetes / Cloud Security Expertise: Apply knowledge of Kubernetes / Cloud security technologies to enhance the security of applications deployed in containerized environments, addressing specific risks associated with cloud-native applications. Application Architecture Understanding: Demonstrate a comprehensive understanding of application architecture to apply relevant security controls and systems, minimizing cybersecurity risks specific to the application's design and functionality. Collaborative Project Delivery: Work collaboratively with project delivery and operational teams to ensure that applications are delivered on time and meet high-quality security standards throughout the system delivery lifecycle. Governance Participation: Actively participate in governance forums, such as the Architecture Community and Working Group, to contribute to the development of application security strategies and best practices Job Requirement: Academic and Professional Qualifications Required: Should have a relevant University degree in Computer Science, Information Management, or related field, or equivalent experience. Should have relevant experience with information security and enterprise architecture methods and frameworks (e.g., SABSA, TOGAF, NIST CSF) Cyber Security certifications, such as SABSA, CCSP (Certified Cloud Security Professional), CISSP (Certified Information Systems Security Professional) or security specific cloud certifications such as AWS, Azure, GCP, AliBaba Cloud, Kubernetes, etc would be looked upon favourably Required Knowledge and Level of Experience: Must have significant and wide experience in the information and cyber security industry. Must have subject matter expertise in application threat modelling, secure coding practices in either Java or C++ (or other languages such as .Net, node.js, go); and DevSecOps practices. Must have current experience of automated build and deployment pipelines and how to both secure a pipeline and assure the security of artefacts in a pipeline. Should have current experience of software and system assurance methodologies and associated vulnerability management and risk management practices. Should have current experience of operating one or more of SAST, SCA, DAST, IAST and SBOM. Should be able to perform automation scripting leveraging python and API's Should have relevant experience with industry best-practice approaches to the design, implementation, operation and management of IT systems (e.g., Agile, Waterfall, ITIL, COBIT). Should have recent experience of delivering solutions security in public and/or private cloud. Optional Knowledge and Experience: Should have experience security Kubernetes technology and familiar with secrets management, PKI, service mesh, Istio, etc. Should have experience of developing/ contributing to security policies and standards. Should have current experience securing automated build and deployment pipelines and securing artefacts Should have familiarity with internal audit, risk and control management Relevant information security experience working with or for a global exchange, or similar regulated financial market infrastructure or critical national infrastructure would be looked upon favourably. Skills set and Core Competencies Required for Role: An intelligent, articulate, consensus building and persuasive self-starter. Must have a strong business acumen and technology knowledge. Must be able to communicate information security-related concepts to a broad range of audiences. Experience of effective stakeholder management and collaborative mindset. Able to deliver within a fast-moving high-pressure environment, balancing multiple work streams and deliverables. Personal Qualities: Open and approachable, with ability to work well within a team. Effective oral and written communicator HKEX is committed as an Equal Opportunity Employer. Diversity is one of our core values and we look to support, respect diverse perspectives, abilities, culture and experiences within our workplace. Location: HKEX - TKO Shift: N/A Scheduled Weekly Hours: 40 Worker Type: Permanent