ICE
Analyst, Application Security
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About ICE
Intercontinental Exchange, Inc. (ICE) is a multinational financial services company founded in 2000, headquartered in Atlanta. It operates global financial exchanges and clearing houses, providing a range of services including mortgage technology, data, and listing services. ICE is recognized on the Fortune 500, S&P 500, and Russell 1000, and manages 12 regulated exchanges and marketplaces. ICE's offerings include exchange-traded futures and options across various sectors such as agriculture, energy, and financials. The company also provides over-the-counter instruments and comprehensive data services, which include market data, analytics, and indices. Additionally, ICE offers mortgage technology solutions that streamline the mortgage process, enhancing efficiency and reducing costs. With a focus on leveraging AI and digital networks, ICE connects a diverse global financial marketplace, serving traders, asset managers, and corporate issuers across multiple asset classes.
Security at ICE
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Stated AppSec Mission: "ICE employs a dedicated Application Security team which defines and enforces mandatory best-practice secure software development."Developer Enablement vs. Gatekeeping: "Works with development teams to establish security requirements early in the SDLC"and "Keeps software engineers apprised of secure coding practices". Risk Philosophy: "Operates the Application Development Security Lifecycle from design review through automated and hands-on testing."Stated Pain Points or Goals: "Focuses on automation while implementing, maintaining and integrating cutting-edge technologies"and "assists developers in remediation efforts". Gaps & Contradictions: Information not publicly available regarding explicit written statements describing a formal risk-acceptance model or prioritized business risk framework for AppSec.”
Security Team
ICE's Information Security Department consists of diverse and skilled teams. The reporting chain to a named security executive for AppSec is not publicly available. The key public-facing leader is Steve Pugh, Chief Information Security Officer, who stated, "I'm the Chief Information Security Officer for the Intercontinental Exchange". The team size estimate is not publicly available, based on a LinkedIn search. There are 2 active AppSec job postings as of. Common skill/tool patterns mentioned in job postings include "static code analyzers (SAST)", "dynamic testing (DAST) tools", "software composition scanners", "Web Application Firewall (WAF)", "bug bounty programs", and common languages like "Java, C++.NET"and "Python". Gaps & Contradictions: Information not publicly available regarding the org chart showing AppSec reporting line, or a named AppSec manager or Head of Application Security (distinct from CISO) with a public bio.
Key Initiatives
A Security Champions Program status is "No Evidence Found", though job postings mention developer education: "Keeps software engineers apprised of secure coding practices.""Shift Left"practices include working "with development teams to establish security requirements early in the SDLC"and operating "the Application Development Security Lifecycle from design review". The Vulnerability Management Process involves intake via "Report a security concern"(linking to HackerOne VDP) and remediation support where AppSec "assists developers in remediation efforts". Information on SLAs, MTTR, and ticketing ownership is not publicly available. Secure SDLC Artifacts include operating "the Application Development Security Lifecycle from design review through automated and hands-on testing"and working "with development teams to establish security requirements early in the SDLC". Recent Initiatives (Last 6 Months) are not publicly available. Gaps & Contradictions: No public documentation located describing AppSec SLAs, formal remediation timelines, embedded/embedded-in-squads model, or an explicit security champions program.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.