Associate Director, Software Engineering

• Regular security intelligence gathering and analysis (horizon scanning).
• Regularly scanning the mobile app environment and various devices for malware threats using specialized tools to detect and neutralize malicious or fraudulent behaviours, ensuring app security and user data protection.

• Ongoing assessments like vulnerability scans and penetration tests to identify and mitigate security weaknesses.

• Adjusting app security controls and related configurations to minimize vulnerabilities and optimize the mobile security environment for malware defence.

• Review architectural designs and vendor's security solutions, provide recommendations.
• Recommend enhancements of existing or deployment of new mobile security features.
• Work closely with delivery teams to develop and monitor security risk remediation programme activities and actions to ensure delivery within acceptable timelines.

• Informing users about security updates and malware incidents, providing guidance within the app for proactive protection and response.
• Educate teams in terms as to their security responsibilities, provide policies, guidance and mobile security engagement model.

• Developing plans for detecting, isolating, and addressing malware threats in the app, ensuring quick recovery and minimal disruption.

  
  Ongoing Governance

• Establishing policies, monitoring systems, and ensuring regulatory compliance to maintain ongoing app security and effectiveness against malware threats. Maintaining SLAs and feedback loop with markets.
• Surface strategic and architectural decisions through the approved governance or oversight channels as defined by the bank’s operating model
• Participate in IT Security engagement activities (e.g. risk assessment and threat modelling sessions, security risk review etc.)
• Anti-Malware Scanning
• Principal responsibilitiesPrincipal responsibilities

• Strong understanding of security industry trends, hot topics, commercial and vendor capability awareness
• Strong understanding of the security threat landscape, awareness of major historical and recent vulnerabilities, awareness of security industry responses to significant threats
• Strong understanding of zero trust security including detailed knowledge of concepts, industry whitepapers and practical implementations
• Experience in incident management, flows and documentation
• Experience supporting major programmes and other project-based activities
• Knowledge and experience with reverse engineering malware utilizing both dynamic and static analysis tools
• Security architecture or security solution architecture experience
• Experience in creating, reviewing and approving security designs
• Experience with collaboration and knowledge management tools such as SharePoint, Teams, Confluence and JIRA
• Hands on experience in working with DevOps and Agile teams following a secure software development lifecycle. Should be able to provide hands on leadership in improving automation and incorporating security as part of the CI/CD pipeline.
• Good to have experience in application risk assessment, threat modelling

• Proficient in application security reviews of mobile, web, and APIs, etc.

• Ability to assess and identify any possible vulnerabilities in technology being developed prior to implementation

• Knowledge of tools like Burp Suite, Postman, SoapUI, Checkmarx, Netsparker, Nexus IQ, etc. to perform the security testing and analysing the scanned report

• Strong grasp of application security tooling, and experience of driving automation within the delivery environment

• Industry recognised Information Security and Cyber Security qualifications is essential e.g. CISSP, CISA, OSCP, GIAC GPEN

• Good at application security testing like SAST, DAST. Experienced in web application, API Security, and mobile application security testing in conformance to various industry standards like OWASP top 10, SANS top 25 etc.

• Good to have knowledge on programming and scripting skills in languages like Java, JavaScript, Angular, Spring Boot, etc.

• Good to have knowledge of cloud platforms (Azure, AWS and GCP) and experience in performing security review against applications deployed in cloud.

• Excellent communication skills are mandatory. The role demands a great deal of interaction with various global teams and so the role holder must be able to express themselves clearly verbally and in writing

• Strong ability to translate between business talk and technical details is a must. The role requires interaction with non-technical business staff

• Strong ability to prioritize security testing requirements

• Critical thinking

• Strong decision-making skills

• A self-starter, able to act independently with minimal direction

• Experience of mobile development, security analysis, integration, and testing on Android, iOS or HarmonyOS.

• Familiar with Android, iOS or HarmonyOS system architecture, security mechanisms, security vulnerabilities and detection methods, proficient in using analysis and debugging tools

• Experience in release AppStore, Google Play and response reviewer, security audit work.

HSBCAL/GZ*

About HSBC Technology China