Application Security Manager

Tech Remote, United States Req. UMG-5390


We are UMG, the Universal Music Group. We are the world’s leading music company. In everything we do, we are committed to artistry, innovation, and entrepreneurship. We own and operate a broad array of businesses engaged in recorded music, music publishing, merchandising, and audiovisual content in more than 60 countries. We identify and develop recording artists and songwriters, and we produce, distribute, and promote the most critically acclaimed and commercially successful music to delight and entertain fans around the world.

How you’ll LEAD:

Our team is looking for an Application Security Manager with extensive product security experience and deep expertise in web security, applied cryptography, software security vulnerabilities, knowledge of IAM solutions including federation as well as superb knowledge of software security standards/best practices to join our team.

We take security very seriously, and protecting our customers is our highest priority. If you are a self-starter who is passionate about security and is excited to work in a highly collaborative environment alongside a diverse team of experts every day, this position is for you.

You will be responsible for managing the day-to-day activities related to the security governance track of the Application Security Team. You will be the technical subject matter expert for multiple areas of application and product security. You will handle managing design reviews, technical security assessments, and code reviews to highlight risk and help engineering teams improve the overall security of our products. You will be a security leader within the company, gaining a solid understanding of our products and systems, and ensuring that security is built in. This position requires both deep and broad technical knowledge across a range of disciplines, and the ability to work hands-on across a wide variety of software designs and technology stacks.

In addition to having strong technical skills, you must be comfortable in effectively communicating with business end users, technical IT teams, business partners, network providers, and business process outsourced vendors, all while being sensitive to a wide diversity of cultural and technical backgrounds in a global business environment.

How you’ll CREATE:

  • Manage day-to-day activities related to the security governance track of the Application Security Team
  • Liaison with customer relation and team responsible to address the external requests related to AppSec
  • Coordinate security training for the Organization’s development staff with Global Security Office
  • Manage and update Key Performance Indicators (KPI’s) for the Application Security Program
  • Coordinate with team members and GSO policy management to ensure control standards and policies are up to date
  • Manage the application security threat modelling process and coordinate application threat models against the Organization’s applications
  • Liaison with various internal teams (Application Development, IT Architecture, Corp. Procurement Services, Source Code Management, IT Asset Management) for Application security initiatives and automation efforts).
  • Manage new projects and initiatives related to application security as needs arise
  • Mitigates risk by following established procedures and monitoring controls, spotting key errors, and demonstrating strong ethical behavior
  • Manage security best practices and standards across varied engineering teams and environments.
  • Manage code reviews with a combination of static testing, manual reviews, and dynamic analysis / pen-testing.
  • Manage implementing tooling and automation for application security (e.g., SAST/DAST in CI/CD)
  • Manage regular security testing as well as code reviews for improving the software security
  • Manage technical documentation related to software security.
  • Ensuring software security at all levels of architecture
  • Staying updated with latest tools and advanced industry practices for software security.
  • Advocate for security culture and educate colleagues across all parts of UMG.

Bring your VIBE:

  • In-depth technical and foundational knowledge of software engineering, computer systems, security engineering, authentication, and/or applied cryptography.
  • Solid knowledge of all web technologies, especially web services, web applications, Service Oriented Architectures, and network/web protocols
  • Sound knowledge of all procedures, standards, and regulations for authorization and authentication, applied cryptography, and security vulnerabilities.
  • Software engineering experience in all phases of the software development lifecycle.
  • Strong experience in web security and federation protocols (SSL/TLS, REST, OAuth, SAML, LDAP-S, SAML, WS-Federation, SCIM, OAuth, and OIDC, XSS, etc.)
  • Experience working with AWS or other cloud environments (development/architecture)
  • Experience with cloud and web application security standards (OWASP ASVS, SANS 25, etc.)
  • Understanding beyond the OWASP Top 10 by explaining the level of risk to the business.
  • 5+ years of experience in software development in one or more of the following programming languages, .NET, Python, Java, JavaScript (Node/React), and/or Go
  • Comfortable with tools like, BluBracket, NoName Api security, Burp Suite, OWASP ZAP, CheckMarx, Veracode, App Spider etc.
  • A deep interest in knowing latest industry advancements in software security along with implementing them.
  • An analytical mind with a problem-solving attitude
  • Excellent organizational and communication skills
  • A Bachelor's degree in Computer Science, Computer Engineering, Software Engineering, Cybersecurity, Information Security, or a related technical field.
  • 10+ years of hands-on technical experience.
  • Experience in Docker, Terraform, Kubernetes.
  • Experience working in an Agile development environment.
  • Experience with regulatory requirements, and aligning security standards, frameworks, and corporate policy with overall business and technology strategy.
  • Experience securing operating systems, networks, and low-level infrastructure.
  • Experience with attacker tactics, techniques, and procedures, and corresponding mitigation methods.
  • Experience with automation tools like Ansible, Chef, Puppet, Jenkins
  • Experience with automated application testing tools/frameworks e.g. Selenium, SonarQube
  • Experience with Web Application Firewalls (WAF)
  • Knowledge of AD/Azure AD and Azure AD B2B/ B2C, Okta
  • Multiple language skills

Perks Playlist:

  • Competitive Compensation Package including Salary, Benefits and Generous 401k Savings Plan
  • Paid Time Off – Paid Holidays, “Winter Break”, Summer Fridays
  • Student Loan Repayment Assistance
  • Employee Developmental Support
  • Annual Gym Reimbursement Package
  • Pet Insurance, plus much more!

Universal Music Group is an Equal Opportunity Employer

All UMG employees are currently required to be fully vaccinated against COVID-19 before entering any Company offices unless they have been approved for an exemption or unless prohibited by applicable law.

Disclaimer: This job description only provides an overview of job responsibilities that are subject to change.