Lead Product Security Engineer

Employment Type: Full-time Location Type: Buffalo, New York (Hybrid - 3 days/week in office)

Position Overview

As the Lead Product Security Engineer at M&T Bank, you will support and participate in the building and implementation of software security controls throughout the product development life cycle. This role offers the opportunity to be involved in a wide range of responsibilities in transforming software security culture and technologies. We are seeking a highly motivated, talented, and hands-on engineer responsible for identifying and mitigating software vulnerabilities through code reviews, security assessments, threat modeling, and providing secure coding guidance to software engineers. This role is integral to our technology transformation journey, ensuring the security posture of our bank-wide infrastructure and products.

Primary Responsibilities

• Collaborate with cross-functional teams to integrate security measures into the software development process, including conducting code reviews, providing secure code guidance, and threat modeling.
• Stay up-to-date on emerging threats and vulnerabilities, and proactively recommend security enhancements.
• Partner with engineering teams to provide guidance and support to developers on secure coding practices and security best practices.
• Mentor product security engineers and DevSecOps professionals to ensure a strong security posture across all software development and deployments.
• Assist in the development of software security processes, configuration of tools, and management of solutions to tactically address software security vulnerabilities.
• Build and support high-quality security documentation for product security best practices.
• Utilize product security scanning tools to track, analyze, and manage vulnerabilities.
• Develop analytics to evaluate and enhance the effectiveness of the vulnerability management program, including tools, technologies, and policies.
• Communicate effectively with all levels of organizational leadership, conveying complex technical concepts in a clear and concise manner.

Education and Experience Required

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or an applicable discipline, and a minimum of 5 years of relevant work experience.
• Demonstrable experience developing and maintaining automation for product security tasks and defect identification.
• Advanced knowledge of industry standards and frameworks such as OWASP, ISO 27001, GDPR, PCI DSS, and NIST.
• Advanced experience with security testing tools and techniques, and fixing vulnerabilities.
• Strong background in cybersecurity, manual code review, static/dynamic code analysis, threat modeling, bug bounty research, and vulnerability management.
• Experience with at least 2-3 of the following programming languages: Java, C#, JavaScript, Python, PHP, Ruby, Scala.
• Hands-on experience with product security tools and exploit tools and methods.
• Hands-on experience with product security testing tools such as SAST, DAST, IAST, SCA, and SBOM, as well as experience with DevOps technologies such as CI/CD pipelines, repos, etc.
• Excellent communication and leadership skills.
• Capable of working on multiple complex projects.
• Excellent problem-solving skills to assist in issue resolution.
• Detail-oriented with excellent verbal and written communication skills, with prior experience presenting to target audiences.
• Excellent organizational, teamwork, and time management skills.
• Strong vertical thinking skills.
• Experience recommending and implementing security solutions.
• Experience driving project milestones and delivery dates.
• Proven mentoring and leadership capabilities.

Education and Experience Preferred

• Cybersecurity certifications in the domain of product security or penetration testing (such as GWAPT, GCPEN, OSCP, CSSLP, CCSP).
• Proven experience in software development, including architecture review.