Application Security Manager

Cyber Security Application Security Manager

Position Summary

Companies increasingly depend on information technology (IT) to conduct daily business activities, so they need to secure and control their technology infrastructure. Grant Thornton’s Cyber Risk Advisory Services practice addresses these security and control issues. We are looking for consultants with extensive consulting, technological and industry experience who will help our clients solve their complex business issues from strategy through execution. A Cyber Risk consulting career will provide the opportunity to grow and contribute to our client(s) business issues every day, applying a collection of information and Cyber security capabilities, including security and privacy strategy and governance, IT risk, security testing, technology implementation/operations, and cybercrime and breach response.

Our Application Security (AppSec) services help clients understand the current application security risk landscape, make cyber security a collective priority, and develop and implement solutions across people, processes, and technologies. We provide the foundations to design, manage and operate an application security program aligned to a business strategy and increase organizational resilience in the face of an ever-changing threat landscape.

Essential Duties and Responsibilities

  • Adhere to the highest degree of professional standards and strict client confidentiality.
  • Execute assigned client engagements from start to finish, which includes the engagement planning, directing, and completion of those engagements to budget.
  • Recommend strategies to modernize application security programs using DSOMM, CI/CD, and SLSA frameworks.
  • Execute manual/tool-driven threat modeling and security testing.
  • Execute Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Application Programming Interface (API) security testing, Software Composition Analysis (SCA), & Manual Penetration Testing (MPT), network, database, and wireless vulnerability assessments.
  • Execute security scanning/testing of modern applications at code, container, API, Web, Mobile, and cloud layers.
  • Execute application security program-level assessment using industry best practices, such as Agile, NIST, and SAFECode.
  • Assist clients in planning and executing remediation plans identified in assessment activities.
  • Work with the client to plan an engagement strategy, define objectives, and address technology-related controls risks and issues.
  • Proactively interact with key client management to gather information, resolve problems, and make recommendations for improvements.
  • Ability to manage multiple engagements and competing priorities in a rapidly growing, fast-paced, interactive, results-based team environment.
  • Participate in professional development activities and training sessions basis regularly.
  • Other duties as assigned.


  • Minimum Year(s) of Experience: 5 years.
  • Bachelor’s degree in Information Technology, Computer Science, or a related field is required.
  • Masters in Cybersecurity, Information Systems, or Business Administration is preferred.
  • Certification (s) Preferred: Certified Information Systems Security Professional (CISSP), GIAC Certified Web Application Defender (GWEB), Certified Application Security Engineer (CASE), Certified Application Security Specialist (CASS), SANS SEC540 Could Security and DevSecOps Automation, and Certified DevSecOps Professional (CDP).
  • Complete understanding of Industry Standards/frameworks such as DevSecOps, NIST, ISO 27001, PCI-DSS, etc. is necessary.
  • Demonstrate proven and extensive abilities in solving complex application security issues, including the following areas:
    • Design and development of application security programs using industry frameworks and methodologies.
    • Perform threat modeling for legacy/modern applications.
    • ­Implementation and maintenance of enterprise-wide Secure SDLC and DevSecOps framework.
    • Assessment of enterprise-wide business risks and cyber threats.
    • Development of detailed business risk scenarios and cyber threat models.
    • Design and implementation of application security controls.
    • Monitoring and reporting of application security risks, threats, and vulnerabilities.
    • Hands-on experience using tools and technology to perform SCA, SAST, DAST, and IAST assessments.
    • Hands-on experience using one or more testing tools such as SonarQube, Veracode, Fortify, IBM AppScan, Burp Suite, and OWASP Zap.

Skills Preferred

  • Three years of software development or security testing in one or more of the following Java and Microsoft. NET, C/C++, Ruby on Rails, Python, JavaScript, React, GoLang, Node.js, or C# based applications.
  • Take ownership of your work by performing self-reviews of all the work performed.
  • Produce high-quality deliverables on client engagements requiring little re-work. Ensure they are on time and well organized.
  • Ability to manage multiple engagements and competing priorities in a rapidly growing, fast-paced, interactive, results-based team environment.
  • Ability to deal with ill-defined problems and propose coherent solutions for the client.
  • Execution of assigned client engagements from start to finish, which includes engagement planning, directing, and completion while managing those engagements to budget.
  • Manage the team comprising seniors and associates and maintain professionalism across the team.
  • Apply current knowledge of software development trends to identify security and risk management issues and other opportunities for improvement.
  • Assist clients in developing and executing risk management activities.
  • Participate in client calls as Security SME; provide solutions best fitted to the requirement and in line with the industry best practices.
  • Ability to work additional hours and travel domestically as needed.