Your opportunity

The Schwab Application Security Team, under the leadership of the Chief Information Security Officer (CISO), is tasked to protect information assets in support of Schwab business objectives and in conformity with Schwab policies. The Application Security Team is a core function of Schwab Cybersecurity Services and is primarily responsible for establishing and guiding the Secure Software Development Program within Schwab. These activities include creation and rollout of software security policies and best practices, software security architecture, software security scanning, penetration testing, and the education of Schwab software developers and testers in security best practices. The Software Security Engineer ensures the control and protection of software, improves the software development process, and minimizes defects and vulnerabilities in software production.

Well qualified candidates for this position will demonstrate the following key traits:

Prior engineering experience on a Software Security Assurance team Experience partnering with development teams to balance innovation and security concerns. Capable of analyzing large amounts of disparate data to produce easily understandable content. Experience with various application security tools including Software Composition Analysis (SCA), Static Application Security Testing (SAST), secrets management, and Dynamic Application Security Testing (DAST).

Well qualified candidates will also demonstrate expertise in the following technical areas:

Application engineering experience in software development Solid knowledge in application vulnerability types, attack vectors and remediation approaches Industry best practices for secure software development include software security design requirements. Application penetration testing and vulnerability scanning tools such as Fortify and how to integrate with agile SDLC. Proficiency with IP protocols and associated security mechanisms: TCP/IP, SSL/TLS, PKI. Familiarity with well-known application security sources and standards such as OWASP, WASC and NIST. Experience with solutions for WAF/RASP technology for runtime application monitoring and protection. 2 years of experience with static and dynamic analysis and/or threat modeling tools Experience implementing enterprise deployment of application security tools, services, and controls. Solid understanding of a variety of software security practices, secure code reviews, threat modeling, security requirements analysis and architectural risk analysis

What you have

Key Accountabilities:

• Ability to positively influence the behavior of peers and build relationships with other teams without direct authority over those teams.
• Assess current practices and recommend changes to relevant policies to ensure state of the art development practices as they relate to security.
• Review security of software and identify and remediate vulnerabilities.
• Provide necessary input to philosophy and practices around software development.
• Help ensure security of software produced or procured by SCHWAB to prevent loss, inaccuracy, alteration, unavailability, or misuse of data.
• Recommend security requirements for the software development process.
• Support tools to help enable security requirements as part of application development process.
• Integrate software security scanning and testing into SCHWAB’s software development, build and testing programs.
• Work with application developers in security best practices and secure coding.
• Conduct software security testing, including penetration testing, to verify that the software complies with security requirements.
• Review, inspect and walk through source code to help developers understand vulnerabilities and provide advice to developers on remediation.
• Develop automated application specific threat models to identify security design flaws and provide guidance on application specific risks and controls.
• Identify security vulnerabilities as a result of security bugs, coding errors, omissions, and defects.

Desired certifications:

• Information Security and control certifications a plus (CISSP, CSSLP, GWEB, CISA, CISM, CEH, CRISC, etc.)

What’s in it for you

At Schwab, we’re committed to empowering our employees’ personal and professional success. Our purpose-driven, supportive culture, and focus on your development means you’ll get the tools you need to make a positive difference in the finance industry. Our Hybrid Work and Flexibility approach balances our ongoing commitment to workplace flexibility, serving our clients, and our strong belief in the value of being together in person on a regular basis.

We offer a competitive benefits package that takes care of the whole you – both today and in the future:

• 401(k) with company match and Employee stock purchase plan
• Paid time for vacation, volunteering, and 28-day sabbatical after every 5 years of service for eligible positions
• Paid parental leave and family building benefits
• Tuition reimbursement
• Health, dental, and vision insurance