Lead Application Security Engineer

As the Lead Product Security Engineer at M&T Bank, you will support and participate in the building and implementation of software security controls in all stages of the product development life cycle. This role will offer you the opportunity to be involved with a wide range of responsibilities in transforming the software security culture and technologies. We are looking for a highly motivated, talented, and hands-on engineer who will be responsible for identifying and mitigating software vulnerabilities through code reviews, security assessments, threat modeling, and providing secure coding guidance to software engineers. This role is integral to our technology transformation journey, ensuring the security posture of our bank-wide infrastructure and products.

This role is based in Buffalo, New York with hybrid work model of 3 days per week in the office.

Primary Responsibilities:

• Collaborate with cross-functional teams to integrate security measures into the software development process including conducting code reviews, secure code guidance, threat modeling

• Stay up to date on emerging threats and vulnerabilities, and proactively recommend security enhancements.

• Partner with engineering teams and provide guidance and support to developers on secure coding practices and security best practices.

• Mentor product security engineers and DevSecOps professionals to ensure a strong security posture across all software development and deployments.

• Assist in the development of software security processes, configuration of tools, and management of solutions to tactically address software security vulnerabilities.

• Build and support high quality security documentation for product security best practices.

• Utilize product security scanning tools to track, analyze, and manage vulnerabilities.

• Develop analytics to evaluate and enhance the effectiveness of the vulnerability management program including, tools, technologies, policies.

• Communicate effectively with all levels of organizational leadership, conveying complex technical concepts in a clear and concise manner.

Education and Experience Required:

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity or applicable discipline and a minimum of 5 years of relevant work experience.

• Demonstrable experience developing and maintaining automation for product security tasks and defect identification.

• Advanced knowledge with industry standards and frameworks such as OWASP, ISO 27001, GDPR, PCI DSS, and NIST.

• Advanced experience with security testing tools and techniques and fixing vulnerabilities.

• Strong background in cybersecurity, manual code review, static/dynamic code analysis, threat modeling, bug bounty research and vulnerability management. • Experience with at least 2-3 of the following programming languages – Java, C#, JavaScript, Python, PHP, Ruby, Scala.

• Hands-on experience with product …