Information Security Specialist/Treat ModelerFidelity National Financial, Inc. (NYSE: FNF) is a leading provider of title insurance and transaction services to the real estate and mortgage industries. FNF is the nation's largest title insurance company through its title insurance underwriters - Fidelity National Title, Chicago Title, Commonwealth Land Title, Alamo Title and National Title of New York - that collectively issue more title insurance policies than any other title company in the United States. More information about FNF can be found at fnf.com.Fidelity National Financial (FNF) is looking for a skilled application security professional, with prior experience performing security reviews on production applications and infrastructure. FNF has several COTS, open source, and proprietary applications spread across the organization with numerous subsidiaries, each at various levels of application design. The primary focus of this role will be working with software development teams to evaluate applications and provide security assessment risk scores; thus, gaining better insight into FNF's overall application risk posture.The Information Security Specialist/Treat Modeler will also be responsible for maturing a Threat Modeling program. Working closely with the software engineers at the SDLC Design phase will help to identify attack vectors for vulnerability mitigation and security control implementation early in the development cycle. The steps in this program should allow for a lean threat modeling process that meets both the speed and flexibility requirements of a DevOps deployment. It is crucial to identify key application risks based on various methods of research, developer interactions, and analysis; then document and present findings in a clear and concise narrative or graphical representations for remediation.Duties:* Work closely with the various teams to deeply understand FNF implementations and solutions in order to document the product details, including, but not limited to, the security architecture, attack surface, trust boundaries, and data flows.* Interview application Business Owners, Product Owners, IT Owners, developers, development managers and other key stakeholders to gather critical information regarding applications and information systems (i.e. servers, databases, firewalls, etc.).* Document critical information regarding application software and information systems, including, ingress and egress points and data flows throughout the system.* Evaluate and create a threat model for applications and supporting information systems using the Microsoft STRIDE Threat Model and tools.* Develop the threat model process, including any necessary documentation, and educate Business Owners, Product Owners, IT Owners, developers, development managers and any other key stakeholders on the process and documentation requirements.Requirements:* Bachelor of Science in Computer Science, Mathematics, Engineering or equivalent experience or education.* 5+ years of experience in a hands-on security role with a demonstrated mastery of application security.* Must be a motivated, flexible, self-starter individual, with little need of continuous oversight.* Ability to communicate and gather business and technical information from a broad range of stakeholders from business leaders to application developers.* In-depth knowledge of software application architectures including web applications, desktop/non-web applications, and mobile apps.* Advanced knowledge of application information systems such as web servers, middle tier servers, databases, firewalls, switches, message queues, etc.* Familiarity with NIST Cybersecurity Framework (CSF), STRIDE, DREAD and/or other frameworks, tools, and general concepts related to threat modeling and software analysis.* Ability to apply security principles, concepts, policies, and regulations to pinpoint risks in security systems.* Understanding of OWASP Top 10 or other vulnerabilities and application threat modeling techniques and frameworks.* Experience with cloud-native development, containerization (docker, kubernetes), and container security platforms.* Collaborate with technical experts to prioritize the remediation of security findings.* Ability to prioritize complex tasks and adhere to deadlines.* Ability to document complex technical information and create extensive IT system data flow documentation.* Desire to be a champion for security culture and excellence, exercise risk-based judgement and prioritize remediation work.* Willingness and drive to challenge current processes and improve security at FNF.Education:Bachelor of Science in Computer Science, Mathematics, Engineering or equivalent experience or education.Experience:* Experience with performing application threat modeling using the Microsoft STRIDE method and Threat Modeling Tool.* Application development experience.* Experience scripting/coding with one or more languages (such as Python, .NET Core, or Bash).* Familiarity with application testing such as SAST, DAST, IAST.* IT infrastructure administration, architecture, or security engineering experience.* IT Security audit or assessment experience.* Project management experience.* Experience with security consulting or penetration testing.* Experience managing small cybersecurity or threat modeling teams.* Experience with Microsoft Azure.* Infrastructure and configuration management tooling.* Continuous integration and delivery tooling (CI/CD).* Cybersecurity industry certifications such as CompTIA, ISC2, ISACA, SAMS, etc.Additional Skills:Must have excellent verbal, written, and presentation communication skills, strong interpersonal skills and the ability to work effectively across project teams.Fidelity National Financial, Inc. is an equal opportunity employer. All employees are required to successfully pass a criminal records check.Are you a returning applicant?Previous Applicants: Email: Password:If you do not remember your password click here.
Associated topics: cybersecurity, identity access management, iam, information assurance, information technology security, malicious, phish, protect, security officer, violation