Lilly Associate Director – IDS Application Security in Indianapolis, Indiana
At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our 35,000 employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.
At Lilly, we serve an extraordinary purpose. We make a difference for people around the globe by discovering, developing and delivering medicines that help them live longer, healthier, more active lives. Not only do we deliver breakthrough medications, but you also can count on us to develop creative solutions to support communities through philanthropy and volunteerism.
The Application Security Engineer is responsible for managing all aspects of the Dynamic Application Security Testing Service, including vulnerability identification, analysis, remediation coordination and reporting.
Lead and deliver the Dynamic Application Security Testing service to ensure new applications or applications undergoing a major change are assessed for vulnerabilities prior to production implementation.
Technical subject matter expert for the Dynamic Application Security Testing tools used to perform scans on applications.
Build relationships with internal and external customers and partner with them to monitor and coordinate remediation of vulnerabilities across corporate and business applications.
Partner with Information Security Architecture to define and continually improve the Application Security Program.
Develop processes and/or improve current processes related to Application Security Testing services.
Coordinate with the Threat Intelligence Team and SOC to drive key vulnerability initiatives.
Triage newly identified critical vulnerabilities and zero-day vulnerabilities, assess threat and impact information, and manage escalation processes for remediation based on risk.
Follow departmental change management process to ensure appropriate implementation of metrics and reporting capabilities.
Continuously improve the processes and procedures to include reporting exceptions/risk acceptance for further review including escalation to the appropriate risk owners.
Interact with stakeholders to develop and fine-tune the process of how metrics are calculated and communicated.
Provide written and oral communications as appropriate to the information security leadership related to Application Security quantitative metrics, reporting, and analysis.
Bachelor’s or Associate’s degree
5+ years of related Information Security experience or application development and support experience.
3+ years of Advanced experience with:
Experience with industry standard application security testing technologies, such as GitHub Advanced Security, Acunetix, Checkmarx, Fortify WebInspect, Rapid7 InsightAppSec, Qualys WAS or Burp Suite.
Experience in DevSecOps and conducting end to end security testing of Applications – Web, Mobile, Thick Client, API & Web Services.
Experience with automating processes for security testing, escalating, and reporting through scripting and working with API’s.
Experience with security compliance procedures and providing automation where possible.
Experience with enforcing adherence to application security policies and procedures.
Experience & Knowledge of OWASP Top 10, SANS 25, OSSTMM, MITRE ATT&CK Framework.
Experience in systems administration, security DevOps processes, system hardening, IAM, guardrails, and service control policies within cloud computing environments.
Evaluation of threats and risk to business operations resulting in security solutions that appropriately balance cost and risk mitigation.
Data analysis and problem resolution. Must be able to integrate and correlate large amounts of data to identify complex patterns and trends.
Applying good risk-based judgment to complex problems.
Qualified candidates must be legally authorized to be employed in the United States. Lilly does not anticipate providing sponsorship for employment visa status (e.g., H-1B or TN status) for this employment position
Certified Information System Security Professional (CISSP)
Certified Security Essentials (GSEC)
Certified Enterprise Vulnerability Assessor (GEVA)
Certified Enterprise Defender (GCED)
Certified Penetration Tester (GPEN)
Certified Exploit Researcher & Advanced Penetration Tester (GXPN)
Certified Incident Handler (GCIH)
Strong written and oral communication skills.
Ability to think analytically and to understand and communicate quantitative information.
Ability to apply programming language structures (e.g., source code review) and logic.
Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes).
Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
Knowledge of ethical hacking principles and techniques.
Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
Skill in the use of penetration testing tools and techniques.
Eli Lilly and Company, Lilly USA, LLC and our wholly owned subsidiaries (collectively “Lilly”) are committed to help individuals with disabilities to participate in the workforce and ensure equal opportunity to compete for jobs. If you require an accommodation to submit a resume for positions at Lilly, please email Lilly Human Resources ( LillyRecruitingCompliance@lists.lilly.com ) for further assistance. Please note This email address is intended for use only to request an accommodation as part of the application process. Any other correspondence will not receive a response.
Lilly is an EEO/Affirmative Action Employer and does not discriminate on the basis of age, race, color, religion, gender, sexual orientation, gender identity, gender expression, national origin, protected veteran status, disability or any other legally protected status.
Our employee resource groups (ERGs) offer strong support networks for their members and help our company develop talented individuals for future leadership roles. Our current groups include: Africa, Middle East, Central Asia Network, African American Network, Chinese Culture Network, Early Career Professionals, Japanese International Leadership Network (JILN), Lilly India Network, Organization of Latinos at Lilly, PRIDE (LGBTQ + Allies), Veterans Leadership Network, Women’s Network, Working and Living with Disabilities. Learn more about all of our groups.
As a condition of employment with Eli Lilly and Company and its subsidiaries in the United States and Puerto Rico, you must be fully COVID-19 vaccinated and provide proof of vaccination satisfactory to the company (subject to applicable law).