This role is responsible for collaborating with security and development teams to secure products and applications across Guidewire’s fast-growing customer facing cloud-based environments and the global IT enterprise infrastructure. Security is a critical part of the Guidewire business and product strategy and you would be working with a team of security professionals helping to protect our brand, reputation, and intellectual property.
- You will support a Product Security program through a close working relationship with DevOps, Product Development and QA teams.
- You would additionally be responsible for security testing and risk analysis of Guidewire’s on-premise and cloud-hosted applications and products using various security tools. This includes, but is not limited to web application firewalls, static code scanning tools, application penetration testing tools, threat modeling and open source software review.
- Collaboration with Guidewire developers and product managers to provide guidance, best practices and technical assistance in addressing product security issues will also be part of the responsibilities.
- Work on creation, continuous development and running Secure SDLC process for the organization
- Work with teams to determine application in scope, perform following to identify vulnerabilities and prioritize remediation
- Threat Modeling
- Static & Dynamic application security scanning
- Open Source Security Review
- Application and Network layer Penetration Test
- Manage and drive security vulnerability issues to resolution, make further recommendations that deliver a safer and more secure experience to customers
- Provide expertise and guidance to application developers and product management on issues of product security
- Research the latest security best practices and technologies, staying abreast of new threats and vulnerabilities and helping disseminate this information within the groups at Guidewire
- Provide guidance on relevant application security industry standards and practices such as OWASP, SANS, CWE, CWSS, CVE, CVSS, etc
- Oversee third-party vendors during penetration testing, architecture consulting and security review engagements
- Track milestones, deliverable dates and specific task plans per Product Security roadmap.
- Own and manage security tools pertaining to SAST (Checkmarx or similar), OSS (Blackduck/ WhiteSource) and DAST (Burpsuite or similar)
Skills and Experience:
- Minimum 5 years of hands-on experience in application and network security testing, risk evaluation of findings and remediation recommendations
- Experience with security testing tools like (but not limited to) Nessus, Metasploit, Burpsuite, Nmap, Kali Linux, etc.
- Experience providing security testing and reviews within cloud implementations (e.g. AWS \ Azure)
- Understanding of Agile software development methods using SCRUM
- Application development / software development experience, understanding of secure coding principles
- Understanding of application threat modeling and SDLC security best practices
- Collaborating with product development units on application security best practices
- Familiarity with enterprise productivity tools, such as Rally, Confluence, JIRA, etc
- Experience operating and managing code scanning tools, such as Veracode, Checkmarx, or BlackDuck
- Preferred Certifications: OSCP, CISSP, CSSLP, AWS Solutions Architect, or equivalent.
Guidewire exists to deliver the industry platform that P&C insurers rely upon to adapt and succeed in a time of accelerating change—and to ensure that every customer succeeds in the journey. We provide the software, services, and partner ecosystem to enable our customers to run, differentiate, and grow their business.
Guidewire InsurancePlatform is the P&C industry platform that unifies software, services, and partner ecosystem to power our customers’ business. InsurancePlatform provides the standard upon which insurers can engage their customers, optimize their operations, drive smart decisions, and innovate quickly. We are privileged to serve more than 350 P&C insurers in 32 countries. We invest heavily in R&D to build a technology platform that combines three elements—core processing, data and analytics, and digital engagement—to enhance insurers’ ability to engage and empower their customers and employees.