Lead Security Engineer - Application Security

    • CME Group
  • Posted 45 days ago | Updated 12 days ago


On Site
Full Time


Web application security
Software security
Software design
IT management
Web applications
Software development
Process improvement
Burp suite
Reverse engineering
Computer science
Information systems
Geographic information system
Cloud computing
Research and development
Visual Basic
Microsoft Windows
Windows PowerShell
Technical drafting

Job Details

Role Overview The Lead Security Engineer Application Security is responsible for performing advanced manual security assessments on applications and systems that require specialized knowledge, and provide detailed written reports to key business stakeholders (management, development teams).
Additionally, the individual will provide application design support and application security best practice guidance, in the form of consultations, to various development teams and business stakeholders. The individual is also responsible for championing security through design and delivery of integrated solution architectures.
This role leads by example by performing all the Application Security team responsibilities and provides training opportunities for other team members. As a technical lead in the Application Security Assessment team, this role must effectively communicate with CME technology, business, and third-party partners.

Principal Accountabilities
  • Lead by example and independently perform all functions and services of the GIS AppSec team..
  • Conduct advanced web application, micro-services, API, cloud penetration tests of proprietary and 3rd party on-prem/cloud systems and applications.
  • Perform targeted manual security reviews at key points in the software development life cycle.
  • Perform peer reviews of assessment reports and provide constructive guidance to team members.
  • Train others on tools and processes used in AppSec methodology.
  • Provide technical guidance to team members and other stakeholders (e.g. development teams, project teams, business stakeholders).
  • Provide input for strategic visioning / planning.
  • Identify the need and develop new security standards and reference architectures.
  • Identify metrics that can help measure performance, gaps in coverage, need for head count, trends in findings.
  • Identify and document process improvements and influence team and management support and prioritize changes.
  • Establish yourself as a recognized technical expert within the team.
  • Have an interest in continuing your education and training and staying current within the application security domain.

  • 12+ years' experience performing security assessments of a wide variety of systems, applications and technologies which include both proprietary and industry standard protocols.
  • Expert knowledge and experience performing manual security reviews of application source code for security vulnerabilities written in various languages including: Java, .Net (C#, VB#), C++, *.
  • Expert level skills with application security testing tools including: Burp Suite Pro, Kali, Checkmarx, sqlmap, nmap, Wireshark, etc.
  • Expert knowledge of the Open Web Application Security Project (OWASP) Top 10 vulnerabilities most critical web vulnerabilities and how to identify and remediate them.
  • Advanced knowledge of application reverse engineering and using tools such as: Java decompilers, .Net decompilers, IDAPro, etc.
  • Advanced knowledge of UNIX/Linux/Windows.
  • Advanced knowledge with scripting languages such as: Python, bash, Powershell, etc.
  • Experience with drafting of Security Standards, Reference Architectures and Secure Technical Implementation Guidelines.
  • Have a passion for application security testing and be able to share your passion and learnings with teammates and customers.
  • Self-motivated and a self-starter (If you have a question, find the answer, ask somebody, figure it out, and communicate).
  • Excellent Oral and Written communications skills.
Nice to have
  • Certifications such as GWAPT, eWPTx, OSCP, OSWE, CISSP, or other relevant certifications are highly preferred.

Education A Bachelor's or Master's degree in Computer Science, Information Systems or other related discipline is required; or equivalent combination of education and relevant proven work experience.

CME Group: Where Futures Are Made

CME Group ( is the world's leading derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it, all while working alongside a team of leading experts who inspire you in ways big and small. Problem solvers, difference makers, trailblazers. Those are our people. And we're looking for more.

At CME Group, we embrace our employees' diverse experiences, cultures and skills, and work to ensure that everyone's perspectives are acknowledged and valued. As an equal opportunity employer, we recognize the importance of a diverse and inclusive workplace and consider all potential employees without regard to any protected characteristic.
The Candidate Privacy Policy can be found here.