Corebridge Financial
Application Security Architect
Corebridge Financial, Durham, North Carolina, United States, 27703
Who We Are
At Corebridge Financial, we believe action is everything. That's why every day we partner with financial professionals and institutions to make it possible for more people to take action in their financial lives, for today and tomorrow. We align to a set of Values that are the core pillars that define our culture and help bring our brand purpose to life: We are stronger as one: We collaborate across the enterprise, scale what works and act decisively for our customers and partners We deliver on commitments: We are accountable, empower each other and go above and beyond for our stakeholders We learn, improve and innovate: We get better each day by challenging the status quo and equipping ourselves for the future We are inclusive: We embrace different perspectives, enabling our colleagues to make an impact and bring their whole selves to work About the role
The Application Security Architect to lead the design, implementation, and oversight of secure application architectures across our organization. This role focuses on integrating security into software development processes, collaborating with developers and application security teams, and building scalable, secure application frameworks. The ideal candidate will bring deep expertise in application security, strong communication skills, and the ability to work independently or collaboratively to drive security initiatives and foster a security-first culture. Design, document, and maintain secure architecture patterns, diagrams, and reference architectures for Web, API, and Mobile applications. Conduct security reviews of application designs, APIs, and development pipelines, identifying vulnerabilities and recommending secure design strategies. Perform threat modeling and risk assessments to identify vulnerabilities and recommend appropriate mitigating controls. Recommend and oversee the implementation of security controls in CI/CD pipelines, ensuring governance and standardization of tools such as SAST, DAST, and IAST. Collaborate closely with application security teams, developers, application owners, cloud teams, and engineering teams to integrate security into the SDLC and organizational workflows. Communicate risks effectively to developers, application owners, and senior executives, tailoring technical risks into actionable insights for both technical and non-technical audiences. Guide the adoption and implementation of OWASP standards, including ASVS, OWASP Top 10, and API Security Top 10. Demonstrate strong knowledge and understanding of microservices driven architecture, ensuring secure integration into overall system design. Maintain familiarity with APIs, API gateways, service mesh, and API-related security tooling and practices to secure API designs and integrations. Provide expertise in container security, advising on the use of immutable operating systems and secure deployment practices. Partner with developers and engineering teams to promote secure coding practices and ensure security is a natural part of their workflows. Stay informed of emerging application security threats and technologies, and proactively recommend improvements to enhance the security posture. Foster a security-first culture by mentoring development teams, promoting secure coding practices, and embedding security in organizational workflows. Please note:
The job can only be performed in the State location listed: Jersey City, NJ, Durham, NC, and Houston, TX. What we are looking for
Required Qualifications:
7+ years of hands-on experience in application security, secure coding, and software development practices for Web, API, and Mobile applications. Strong ability to create and review application designs, diagrams, and reference architectures. Expertise in secure software development life cycle (SDLC) and DevSecOps processes. Proficiency in SaaS, PaaS, and IaaS environments, including platforms like AWS, Azure, M365 and Saleforce. Experience with various application security tools, such as SonarQube, Veracode, Codacy and familiarity with integrating security into CI/CD pipelines. Knowledge of common CI/CD pipeline and development tools, such as Jenkins, GitHub, Artifactory, Terraform, Vault. Knowledge of containerization and orchestration technologies like Docker, Kubernetes, EKS, ECS and OCP, including container security practices and the use of immutable containers. Working knowledge of regulatory requirements and compliance standards such as NYDFS, CCPA, PCI-DSS, HIPAA, SOX, and GDPR. Relevant certifications such as CISSP, CSSLP, OSCP or equivalent. Ability to work independently or collaboratively in a team-oriented environment. Bachelor's degree in a relevant field or proven record of experience in Information Technology and Cyber Security roles. Technical Skills:
Knowledge of OWASP ASVS, OWASP Top 10, API Security Top 10, and secure coding practices. Proficiency in designing, implementing, and securing API gateways (e.g., Kong, Apigee, AWS API Gateway) and service mesh (e.g., Istio, Linkerd) for secure communication and service management. Expertise in implementing security controls in CI/CD pipelines, ensuring alignment with security standards and best practices using tools such as Jenkins, GitHub, and Terraform. Knowledge of securing containerized environments, including securing images, leveraging immutable OSes, and applying best practices in orchestration security. Expertise in designing processes for patching vulnerabilities and implementing resilient deployment strategies (e.g., blue-green deployments). Expertise in encryption (e.g., TLS, AES, RSA) and secure data management practices. Common Security and Architecture Frameworks:
OWASP ASVS (Application Security Verification Standard) NIST Cybersecurity Framework (CSF) ISO 27001 and 27002 CIS Controls SABSA (Sherwood Applied Business Security Architecture) TOGAF (The Open Group Architecture Framework) AWS Well-Architected Framework Preferred Certifications:
Certified Secure Software Lifecycle Professional (CSSLP) GIAC Web Application Penetration Tester (GWAPT) GIAC Secure Software Programmer (GSSP) AWS Certified Solutions Architect - Associate or Professional AWS Certified Security - Specialty Microsoft Certified: Azure Solutions Architect Expert TOGAF (The Open Group Architecture Framework) SABSA Foundation or Practitioner Soft Skills:
Strong analytical and problem-solving abilities. Excellent interpersonal and collaboration skills. Proven ability to communicate complex ideas to technical and non-technical audiences. Strong organizational and time management skills. Adaptability and a commitment to continuous learning of new technologies and methodologies. Attention to detail and dedication to delivering high-quality results. High level of integrity and ethical conduct. Industry-Specific Experience:
Experience in financial services, insurance, or other regulated environments. Proven ability to design and implement application security controls that align with industry regulations and standards. Experience conducting application security assessments and audits in regulated industries. Familiarity with industry-specific application threats and vulnerabilities to tailor security solutions. For position based in Jersey City, NJ, the base salary range is $128,000 - $155,000 and the position is eligible for a bonus in accordance with the terms of the applicable incentive plan. In addition, we're proud to offer a range of competitive benefits. #LI-SAFG #LI-CW1 #LI-Hybrid This role is deemed a "covered associate" under SEC Rule 206(4)-5, 17 CFR § 275.206(4)-5, Political contributions by certain investment advisers, and other federal and state pay-to-play rules. Candidates for the role must not have made any political contributions that, under 17 CFR § 275.206(4)-5 or
At Corebridge Financial, we believe action is everything. That's why every day we partner with financial professionals and institutions to make it possible for more people to take action in their financial lives, for today and tomorrow. We align to a set of Values that are the core pillars that define our culture and help bring our brand purpose to life: We are stronger as one: We collaborate across the enterprise, scale what works and act decisively for our customers and partners We deliver on commitments: We are accountable, empower each other and go above and beyond for our stakeholders We learn, improve and innovate: We get better each day by challenging the status quo and equipping ourselves for the future We are inclusive: We embrace different perspectives, enabling our colleagues to make an impact and bring their whole selves to work About the role
The Application Security Architect to lead the design, implementation, and oversight of secure application architectures across our organization. This role focuses on integrating security into software development processes, collaborating with developers and application security teams, and building scalable, secure application frameworks. The ideal candidate will bring deep expertise in application security, strong communication skills, and the ability to work independently or collaboratively to drive security initiatives and foster a security-first culture. Design, document, and maintain secure architecture patterns, diagrams, and reference architectures for Web, API, and Mobile applications. Conduct security reviews of application designs, APIs, and development pipelines, identifying vulnerabilities and recommending secure design strategies. Perform threat modeling and risk assessments to identify vulnerabilities and recommend appropriate mitigating controls. Recommend and oversee the implementation of security controls in CI/CD pipelines, ensuring governance and standardization of tools such as SAST, DAST, and IAST. Collaborate closely with application security teams, developers, application owners, cloud teams, and engineering teams to integrate security into the SDLC and organizational workflows. Communicate risks effectively to developers, application owners, and senior executives, tailoring technical risks into actionable insights for both technical and non-technical audiences. Guide the adoption and implementation of OWASP standards, including ASVS, OWASP Top 10, and API Security Top 10. Demonstrate strong knowledge and understanding of microservices driven architecture, ensuring secure integration into overall system design. Maintain familiarity with APIs, API gateways, service mesh, and API-related security tooling and practices to secure API designs and integrations. Provide expertise in container security, advising on the use of immutable operating systems and secure deployment practices. Partner with developers and engineering teams to promote secure coding practices and ensure security is a natural part of their workflows. Stay informed of emerging application security threats and technologies, and proactively recommend improvements to enhance the security posture. Foster a security-first culture by mentoring development teams, promoting secure coding practices, and embedding security in organizational workflows. Please note:
The job can only be performed in the State location listed: Jersey City, NJ, Durham, NC, and Houston, TX. What we are looking for
Required Qualifications:
7+ years of hands-on experience in application security, secure coding, and software development practices for Web, API, and Mobile applications. Strong ability to create and review application designs, diagrams, and reference architectures. Expertise in secure software development life cycle (SDLC) and DevSecOps processes. Proficiency in SaaS, PaaS, and IaaS environments, including platforms like AWS, Azure, M365 and Saleforce. Experience with various application security tools, such as SonarQube, Veracode, Codacy and familiarity with integrating security into CI/CD pipelines. Knowledge of common CI/CD pipeline and development tools, such as Jenkins, GitHub, Artifactory, Terraform, Vault. Knowledge of containerization and orchestration technologies like Docker, Kubernetes, EKS, ECS and OCP, including container security practices and the use of immutable containers. Working knowledge of regulatory requirements and compliance standards such as NYDFS, CCPA, PCI-DSS, HIPAA, SOX, and GDPR. Relevant certifications such as CISSP, CSSLP, OSCP or equivalent. Ability to work independently or collaboratively in a team-oriented environment. Bachelor's degree in a relevant field or proven record of experience in Information Technology and Cyber Security roles. Technical Skills:
Knowledge of OWASP ASVS, OWASP Top 10, API Security Top 10, and secure coding practices. Proficiency in designing, implementing, and securing API gateways (e.g., Kong, Apigee, AWS API Gateway) and service mesh (e.g., Istio, Linkerd) for secure communication and service management. Expertise in implementing security controls in CI/CD pipelines, ensuring alignment with security standards and best practices using tools such as Jenkins, GitHub, and Terraform. Knowledge of securing containerized environments, including securing images, leveraging immutable OSes, and applying best practices in orchestration security. Expertise in designing processes for patching vulnerabilities and implementing resilient deployment strategies (e.g., blue-green deployments). Expertise in encryption (e.g., TLS, AES, RSA) and secure data management practices. Common Security and Architecture Frameworks:
OWASP ASVS (Application Security Verification Standard) NIST Cybersecurity Framework (CSF) ISO 27001 and 27002 CIS Controls SABSA (Sherwood Applied Business Security Architecture) TOGAF (The Open Group Architecture Framework) AWS Well-Architected Framework Preferred Certifications:
Certified Secure Software Lifecycle Professional (CSSLP) GIAC Web Application Penetration Tester (GWAPT) GIAC Secure Software Programmer (GSSP) AWS Certified Solutions Architect - Associate or Professional AWS Certified Security - Specialty Microsoft Certified: Azure Solutions Architect Expert TOGAF (The Open Group Architecture Framework) SABSA Foundation or Practitioner Soft Skills:
Strong analytical and problem-solving abilities. Excellent interpersonal and collaboration skills. Proven ability to communicate complex ideas to technical and non-technical audiences. Strong organizational and time management skills. Adaptability and a commitment to continuous learning of new technologies and methodologies. Attention to detail and dedication to delivering high-quality results. High level of integrity and ethical conduct. Industry-Specific Experience:
Experience in financial services, insurance, or other regulated environments. Proven ability to design and implement application security controls that align with industry regulations and standards. Experience conducting application security assessments and audits in regulated industries. Familiarity with industry-specific application threats and vulnerabilities to tailor security solutions. For position based in Jersey City, NJ, the base salary range is $128,000 - $155,000 and the position is eligible for a bonus in accordance with the terms of the applicable incentive plan. In addition, we're proud to offer a range of competitive benefits. #LI-SAFG #LI-CW1 #LI-Hybrid This role is deemed a "covered associate" under SEC Rule 206(4)-5, 17 CFR § 275.206(4)-5, Political contributions by certain investment advisers, and other federal and state pay-to-play rules. Candidates for the role must not have made any political contributions that, under 17 CFR § 275.206(4)-5 or