Marquee Engineering - Application Security Engineer

Location(s) US-NY-New York
Job ID
Schedule Type
Full Time
Vice President/Executive Director
Business Unit
Marquee Engineering
Employment Type


Marquee Engineering - Application Security Engineer 


The Marquee team at Goldman Sachs is responsible for delivering digital products to our institutional client base. We design and build highly scalable web platforms that provide access to Goldman Sachs content, portfolio analytics, risk, and execution services.  These tools help to transform and simplify client experiences while generating new revenue streams and business models for a leader in global financial markets. Marquee is a product driven team, composed of talented and passionate product managers, designers, and engineers working to change the expectation of institutional finance.


The position is for an experienced technologist with significant experience in Application Security with a core focus of application security architecture, design and implementation reviews through code analysis and hands on testing to drive more efficient and complete continuous assessment of application controls.


This position will have broad involvement in various Technology Risk domains, such as:

  • Influencing the overall direction for securing applications at the firm
  • Application security requirements and establishing baselines for emerging technologies
  • Implementation testing through code analysis, automated tools and manual testing
  • Collaboration with Engineering platform teams to build controls into firm biased technology
  • Driving automation for security control testing into the firm’s standard SDLC



  • Contribute to the implementation and refinement of the strategy for the Application Risk program.
  • Perform Design Review of process-level application architectures to ensure appropriate control specification at design time.
  • Oversee Code Review and automated testing processes of application security control implementations in Java, C, C++, C#, and ASP.Net
  • Define clear, meaningful metrics for measuring compliance 
  • Drive adoption of embedded application security controls as part of the Software Development Life Cycle (SDLC).
  • Provide guidance on existing and emerging threats in the web and mobile application space.
  • Contribute to the technical understanding and adoption of information security standards, solutions and tools.
  • Have the discipline and interpersonal skills to work well in a fast-paced environment.
  • Work with engineers to develop customized security testing strategy.
  • Evaluation of both industry standard and proprietary application security controls (e.g. authentication, authorization, input validation, output sanitization, error handling, application resilience) against firm policies and standards.
  • Understanding of common vulnerabilities plaguing web and mobile applications such as XXS, XSRF, SSRF, Clickjacking, HTTP Response Splitting, XXE etc.
  • Experience in analyzing and decomposing application architectures to identify security gaps.
  • Understanding of Web security concepts such as Same-origin-policy, CORS etc.
  • Working knowledge of HTTP Security headers such as CSP, HSTS, X-Frame-Options, X-Content-Type etc.
  • Ability in identifying bugs/flaws in application programming languages such as Java, C#, Objective-C etc.
  • Familiarity with common web stack technologies (g. HTTP, HTML5, AJAX, REST, JSON etc.) and platforms (e.g. DropWizard, AngularJS, Tomcat, .Net, Sybase, MS SQL, MongoDB, etc.)
  • Understanding of core cryptography concepts (Encryption, Hashing, HMAC, Digital signature, Random Number Generators, Key Storage, Crypto libraries etc.) and how they are applied and attacked in web applications (g. TLS attacks, CBC attacks).
  • Experience with penetration testing tools such as BURP suite, Appspider, Wireshark, Openssl, Nikto, Nmap, Zap, Echomirage, Sysinternals, Mallory etc.


  • At least 4 to 6 years of experience combined experience in SDLC either in development or in the field of application security.
  • Or MS. in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security is preferred.
  • Development experience in at least one of the major programming languages such as Java, C#, Python is a must.
  • Certificates such as CEH, CISSP, OSCP, and GPEN are good to have.
  • Experience in crafting custom proof of concept application exploits using testing tools/frameworks or scripting exploits in Python, Perl, JavaScript, Shell scripting, etc.
  • Expert knowledge of network, application and operating system security risks.
  • Experience or trainings in related disciplines g. computer science, computer security, software development, system design, open source frameworks, encryption schemes, etc.
  • Familiarity with automated source code analysis tools such as Checkmarx, Fortify or Appscan is valued.
  • Contributions in form of White papers, blogs, conference/chapter talks, security tools are a good add on to the Resume.



Work on some of the most complex technical and design challenges in technology and finance

  • Learn from the foremost experts in finance, technology, and math who are diverse in their academic, ethnic, and social backgrounds
  • Benefit from ongoing training, development, and mentoring to advance in your career


The Goldman Sachs Group, Inc. is a leading global investment banking, securities and investment management firm that provides a wide range of financial services to a substantial and diversified client base that includes corporations, financial institutions, governments and individuals. Founded in 1869, the firm is headquartered in New York and maintains offices in all major financial centers around the world.

© The Goldman Sachs Group, Inc., 2018. All rights reserved Goldman Sachs is an equal employment/affirmative action employer Female/Minority/Disability/Vet.