Senior Application Security Engineer - Charlotte, United States - AIG

Description

Who we are

American International Group, Inc. (AIG) is a leading global insurance organization. AIG member companies provide a wide range of property casualty insurance in approximately 70 countries and jurisdictions. These diverse offerings include products and services that help businesses and individuals protect their assets and manage risks.

We're also committed to making a positive difference for our colleagues and in the communities where we work and live. We encourage colleagues to give back to the causes they care most about, supporting these efforts through our Volunteer Time Off and Matching Grants Programs.

Get to know the business

At AIG, technology is at the heart of everything we do, from underwriting risks to processing claims. The Information Technology team equips our employees with the latest tools to complete their work efficiently and with the highest standards of excellence. The team is responsible for shielding the company's systems from security risks, while designing technology strategies that enable AIG's businesses to achieve their goals. AIG's Information Technology functions include application development and management, enterprise architecture, and technology risk and compliance.

About the role

The Senior Application Security Engineer will be responsible for supporting efforts to reduce API security risk within AIG by discovering, managing, monitoring, and reporting on API security vulnerabilities, advising the business and application teams as a senior Subject Matter Expert (SME) to enhance the security posture of the DevSecOps pipeline. The API Security SME will work with the business application teams and other technical teams to review existing and new APIs, web services in support of security control implementations that align with information security policies and standards.

The person hired for this API security engineering position will be responsible for establishing and executing the API security testing program using various API pentest tools & manual methodologies. This role will require strong interaction with application developers to collect application detail, perform API security testing, report security vulnerabilities, and recommend remediation of API security vulnerabilities. The individual should possess strong API and traditional web application penetration testing expertise, excellent communication, and organizational skills. Web application testing, penetration testing, OWASP, prior scripting/coding experience is a plus. The scope of the duties includes researching security weaknesses within the APIs, developing automated tests, preparing reports and recommendations, collaborating with technical and non-technical staff, and reviewing code to maintain correctness and quality while ensuring security best practices are followed.

What you need to know:

• This is an architect role focused on creation of strategy not just operation of strategy.
• Help develop processes to maintain an accurate inventory of RESTful APIs.
• Design and develop the automation of API discovery and automated testing using tools.
• Administer API security testing tools, perform API code reviews, and advise product development teams on API-related technical issues and questions.
• Perform continuous security testing for on-prem, cloud, mobile applications, and APIs.
• Experience with API discovery automation, security testing, and validation of externally facing APIs.
• Identify the most critical vulnerabilities across all native and third-party APIs.
• Develop alerts and proactive monitoring on new, changed, and exposed APIs.
• Develop the set of security standards and best practices for API implementation, recommending enhancements as needed.
• Create repeatable methods to assess and measure the security posture of APIs and deliver key metrics to assess the overall effectiveness.
• Help create playbooks to monitor, alert proactively, and respond to potential abuse and misuse of externally accessible API endpoints.

What we're looking for:

• Hands on experience designing, developing, and testing secure APIs (e.g. with gRPC, REST, GraphQL).
• Knowledge in evaluating OWASP API top 10 ;NT3rrZz_VG2eK4B0kZuTJ517_tuCYvA5RKNYpdCnvAvWXpW4K3uIbgIZrS6jfolRol05yots0TI-sX4w4P2nzRIGO04Dpw$) , National Institute of Standards and Technology (NIST) Special Publications, and the Open-Source Security Testing Methodology Manual (OSSTMM).
• Experience with managing and tuning WAF/RASP/DAST/IAST tools.
• Experience building and reviewing threat models with the ability to craft malicious user, attacker, and abuse/misuse cases.
• Experience with at least one of the following languages: Python, Go, Ruby, or JavaScript.
• Experience automating API security testing into CI/CD pipelines.
• Experience building secure-by-default frameworks and libraries.

Desired Skills:

• 10+ years of experience designing, developing, and testing secure APIs (REST, GraphQL, and gRPC).
• 10+ years of experience building and delivering production quality, scalable, secure software systems.
• Knowledge of secure design patterns for distributed systems.
• Knowledge of authentication and authorization infrastructure (e.g. SAML, OpenID, OAuth).
• Knowledge of NYDFS and other US and international security frameworks.

#LI-CM1

Veterans are encouraged to apply

A look at our Benefits

We're proud to offer a range of employee benefits and resources that help you protect what matters most - your health care, savings, financial protection and wellbeing. We provide a variety of leaves for personal, health, family and military needs. For example, our "Giving Back" program allows you to take up to 16 hours a year to volunteer in your community. Our global mental health and wellness days off provide all colleagues with a paid day off to focus on their mental health and wellbeing.

We also believe in fostering our colleagues' development and offer a range of learning opportunities for colleagues to hone their professional skills to position themselves for the next steps of their careers. We have a tuition reimbursement program for eligible colleagues to enhance their education, skills, and knowledge in areas that relate to their current position or future positions to which they may transfer or progress.

We are an Equal Opportunity Employer

American International Group, Inc., its subsidiaries and affiliates are committed to be an Equal Opportunity Employer and its policies and procedures reflect this commitment. We provide equal opportunity to all qualified individuals regardless of race, color, religion, age, gender, gender expression, national origin, veteran status, disability or any other legally protected categories such as sexual orientation. At AIG, we believe that diversity and inclusion are critical to our future and our mission – creating a foundation for a creative workplace that leads to innovation, growth, and profitability. Through a wide variety of programs and initiatives, we invest in each employee, seeking to ensure that our people are not only respected as individuals, but also truly valued for their unique perspectives.

To learn more please visit:

AIG is committed to working with and providing reasonable accommodations to job applicants and employees with physical or mental disabilities. If you believe you need a reasonable accommodation in order to search for a job opening or to complete any part of the application or hiring process, please send an email to . Reasonable accommodations will be determined on a case-by-case basis.

Functional Area:

IT - Information Technology

Estimated Travel Percentage (%): Up to 25%

Relocation Provided: No

AIG Employee Services, Inc.

At AIG, helping people discover new potential is our purpose. As a global risk leader, we do this for our clients every day. Through our deep expertise in their industries and our innovative solutions that help them smartly manage risk, we enable their growth in ways they never thought possible.

But we also do the same thing for our employees, because we know our people are our greatest strength-the source of every insight, every idea and every innovation. When we're working as one team to do what's right for our colleagues and our communities, we can achieve excellence together. We encourage colleagues to give back to the causes they care most about, supporting these efforts through our Volunteer Time Off and Matching Grants Programs.

Join our Talent Network ) . Additional information about AIG can be found at | YouTube ) | Twitter ) | LinkedIn ) .