This list contains only the countries for which job offers have been published in the selected language (e.g., in the French version, only job offers written in French are displayed, and in the English version, only those in English).
The Senior Offensive Security Malware Lead Analyst is a senior-level role centered on proactive and offensive cybersecurity that will lead the offensive security program for malware analysis and response. Additionally, the position will serve the broader application penetration testing domain which includes performing penetration testing engagements as well as overseeing external partner engagements to ensure that operational processes are adhered to. The primary goal is to secure Citi, its customers, and clients by proactively reviewing supply chain risks through the research, identification, validation, and exploitation of ingested malware within the software development lifecycle.
Job Responsibility:
Lead the offensive security program for malware analysis and response, focusing on proactively securing the software development lifecycle
Perform manual and dynamic analysis on potential open-source malware within NPM, Python, and other package ecosystems to identify supply chain risks
Act as a subject matter expert in offensive information security, performing manual security assessments on web technologies, including APIs, JavaScript Frameworks, and Artificial Intelligence systems
Conduct and facilitate security reviews, penetration testing engagements, and table-top/red-team/scenario analysis exercises
Drive remediation efforts by outlining defense-in-depth strategies and providing strategic solutions to developers on effective security controls
Evaluate, recommend, and assist in the selection of new and emerging external products, applications, and technologies with a focus on their security implications
Work closely with internal Applications Development to enhance both architecture and application security
Identify opportunities for enhancements to security standards, tools, and processes, and contribute to the review of internal activities for potential improvement and automation
Define secure configurations for network, database, server, and desktop technologies in alignment with security policies
Develop strong technical documentation and deliver clear presentations to articulate vulnerability assessment results to both technical and non-technical audiences
Assess risk during business decisions, ensuring compliance with applicable laws, rules, and regulations while safeguarding the firm's assets and reputation.
Requirements:
Bachelor’s Degree with a minimum of 10 years' relevant experience, or a Master’s Degree with a minimum 5 years' experience in Malware analysis and/or application penetration testing
Proven background in penetration testing and expertise in the risks associated with software supply chains and dependency trees
Hands-on experience with security testing tools such as BurpSuite Proxy, Postman, AppScan, WebInspect, and similar technologies
Must have or be willing to obtain industry-accredited security certifications such as OSCP, OSWE, CISSP, GWAPT, GPEN, or other related credentials
Advanced analytical and problem-solving skills with a demonstrated ability to take ownership and follow up on issues
Proficient in interpreting and applying policies, standards, and procedures
Excellent written and verbal communication skills
Demonstrated ability to work effectively in a team environment and perform well under pressure.
Nice to have:
Experience leveraging Artificial Intelligence to enhance offensive security processes is highly desirable.
What we offer:
medical, dental & vision coverage
401(k)
life, accident, and disability insurance
wellness programs
paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays
discretionary and formulaic incentive and retention awards