Lead Security Software Engineer
CME Group is the world's leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it, all while working alongside a team of leading experts who inspire you in ways big and small. Joining our company gives you the opportunity to make a difference in global financial markets every day, whether you work on our industry-leading technology and risk management services, our benchmark products or in a corporate services area that helps us serve our customers better. We're small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic, the work is unlike any other firm in the business, and the possibilities are endless. Problem solvers, difference makers, trailblazers. Those are our people. And we're looking for more.
To learn more about what a career at CME Group can offer you, visit us at www.wherefuturesaremade.com .
CME Group Lead Security Software Engineer
participates in software and application design, practices secure, scalable, and reliable implementation in accordance with industry best practices for secure coding and strong design patterns; and does so with minimal mentoring and oversight at a task level. An active, self-starting, constructive, and communicative team member. A successful candidate will be someone who can both mentor and learn from their team members, in an effort to better the entire team and the team's contributions.
The Lead Security Software Engineer
position will participate in all functions related to software security design, secure SDLC techniques and practices, and applying and demonstrating strong and secure deign patterns, including: contributing to software security strategy and roadmap planning when called upon, acting as a security liaison to other development organizations within CME when working with external groups, and working on developing secure reference designs, practices, and products both within the Global Information Security group, and the larger company.
This role requires a high level of software engineering expertise with prior experiences in secure SDLC disciplines and strong and secure design patterns and implementations within domains such as: strong cryptography, authentication and authorization, secure data handling in-transit and at-rest, auditing, input validation, strong data access patterns, secure communications exchanges, etc. In addition, a reasonable understanding in newer software architectures and patterns such as: microapps/microservices, Cloud Native designs, software defined deployments and infrastructure (e.g., CI/CD pipelines, Infrastructure-as-Code, immutable and idempotent declarative principals, etc.) will be necessary for the ultimate success of the candidate in this role.
While not a requirement, a basic technical understanding of security and regulatory frameworks (e.g., CIS, NIST 800, PCI, HIPAA, etc.) and/or exposure to certain security technologies (IDS/IPS, WAF, etc.) would be very desirable. Principal Responsibilities
- This role will actively drive and contribute to designs of secure software reference designs, delivery systems, and enterprise-wide solutions that demonstrate secure coding principles and practices
- This role will be responsible for primary contributions to the implementation of various software products within the GIS team, inclusive of all aspects of the Secure SDLC process through to maturity
- This role will be expected to have experience and be able to conduct unit, integration, and system testing of any code they produce and projects the contribute to.
- This role will be expected to demonstrate skill in programming language proficiency, with mastery in at least one primary language area
- This role will be expected to write unit tests for test-driven implementations with minimal guidance
- Exhibit skilled knowledge of database and data architectures, and how to securely access and incorporate them throughout the execution lifecycle of an application
- Identifies potential opportunities for code optimization
- Provide input for code reviews and help with environment build deployment (local mockups and CI/CD), release notes, and build notices
- This role will be expected to create any necessary development documentation as necessary, such as: use cases, user requirements, design specifications, technical specifications, process flows, data flow diagrams, sequence diagrams, communications diagrams, etc.
- Reviewing code to proactively identify and mitigate potential issues and defects and help to identify sources of defects as well as troubleshoot various forms of code
This role will collaborate regularly with various peers in group settings across multiple divisions within CME Group This role will help produce applied examples of reference architectures and help establish the next generation of secure SDLC at CME Group through implementation projects they will contribute to. Education
A Bachelor's or Master's degree in Computer Science, Information Systems or other related field; or equivalent work experience. Experience
- 6+ years of application development and/or infrastructure engineering experience
- 2+ years of active hands on experience with application deployments in the Cloud (AWS, GCP, Azure)
- Experience in using DevSecOps tools and frameworks for managing infrastructure as code like (or similar to) CloudFormation, Terraform, Chef, Puppet, Ansible, etc.
- Experience with DevSecOps tools such as Jenkins, Maven, Git, and Ansible
- Experience working with containers and container systems such as Docker and Kubernetes
- Write code and scripts to automate provisioning of AWS services and to configure services, using tools and languages including AWS CLI / API, Jenkins, Python, Bash, and Git
- Experience with logging/monitoring understanding using tools such as CloudWatch and Splunk, etc.
- Experience with ticketing systems such as Jira
- Any familiarity with the Atlassian (Jira) SDK and the Atlassian development process is desirable
- Experience with UX/UI design, wireframing, and any of the major client-side visualization libraries (e.g., D3.js, etc.) is desirable
- Familiarity with current and emerging technologies and patterns in software development and architectures, especially within the Cloud Native space
- Ability to work across teams and geographic locations
- Excellent oral and written communication skills
- Relevant experience designing, implementing, and supporting larger scale software products
- While a certification is not absolutely required, one or more of the following would be desirable: CISSP, CSSLP, GSSP-*, CASE, CERT Secure Coding, PECB Lead Secure Application Developer