AppSec Jobs
← Back to all jobs

ICE

Senior Engineer, Application Security

Onsite
Jacksonville, FLPosted 1 week agoWebsite
Apply on LinkedIn →

At a Glance

JavaC#/.NETCI/CDPen TestingSASTDAST

About This Role

An Intercontinental Exchange (ICE) IS AppSec Engineer is part of a team responsible for ensuring that ICE produces and maintains secure applications. The team member influences secure design, performs code analysis, identifies vulnerabilities through hands-on penetration testing, assists developers in remediation efforts, and communicates findings to developers, QA teams and management.

Responsibilities

  • Application Identification and Review - Operates the Application Development Security Lifecycle from design review through automated and hands-on testing.
  • Standards and Policies - Maintains and contributes to Application Development Security Policies and standards by keeping up with industry trends and publications from organizations such as NIST, OWASP, and SANS.
  • Secure Design – Works with development teams to establish security requirements early in the SDLC and contributes security subject matter expertise during the development of new projects and releases.
  • Tool Management – Focuses on automation while implementing, maintaining and integrating cutting-edge technologies to assess an application's security with static code analyzers (SAST), dynamic testing (DAST) tools, software composition scanners, Web Application Firewall (WAF) and bug bounty programs.
  • Developer Education – Keeps software engineers apprised of secure coding practices and builds strong rapport and respect with the ICE application development community via training sessions, one-on-one education, Intranet blogs and other opportunities.

Requirements

JavaSASTDASTCI/CD
  • University degree in Computer Science, Engineering, MIS, CIS, or related discipline
  • Software engineering experience in Java, C++, .NET and/or related languages
  • Expert at deploying, configuring, and using SAST, DAST, and Software Composition in large environments
  • Experience designing solutions to integrate transparently with the CI/CD pipeline
  • Familiar with application development in large cloud environments
  • Documenting and effectively publishing technology guidance and repeatable processes
  • Mentoring peers in groups and individually
  • Improving processes and introducing superior technology
  • Taking initiative to learn business goals, liaise with other departments, and identify ways to increase productivity in other ICE groups and offices

About ICE

Intercontinental Exchange, Inc. (ICE) is a multinational financial services company founded in 2000, headquartered in Atlanta. It operates global financial exchanges and clearing houses, providing a range of services including mortgage technology, data, and listing services. ICE is recognized on the Fortune 500, S&P 500, and Russell 1000, and manages 12 regulated exchanges and marketplaces. ICE's offerings include exchange-traded futures and options across various sectors such as agriculture, energy, and financials. The company also provides over-the-counter instruments and comprehensive data services, which include market data, analytics, and indices. Additionally, ICE offers mortgage technology solutions that streamline the mortgage process, enhancing efficiency and reducing costs. With a focus on leveraging AI and digital networks, ICE connects a diverse global financial marketplace, serving traders, asset managers, and corporate issuers across multiple asset classes.

Industry

financial services

Employees

13,000

1860 engineers

Revenue

$12B

Website

Visit →

Security at ICE

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

Stated AppSec Mission: "ICE employs a dedicated Application Security team which defines and enforces mandatory best-practice secure software development."Developer Enablement vs. Gatekeeping: "Works with development teams to establish security requirements early in the SDLC"and "Keeps software engineers apprised of secure coding practices". Risk Philosophy: "Operates the Application Development Security Lifecycle from design review through automated and hands-on testing."Stated Pain Points or Goals: "Focuses on automation while implementing, maintaining and integrating cutting-edge technologies"and "assists developers in remediation efforts". Gaps & Contradictions: Information not publicly available regarding explicit written statements describing a formal risk-acceptance model or prioritized business risk framework for AppSec.

Security Team

ICE's Information Security Department consists of diverse and skilled teams. The reporting chain to a named security executive for AppSec is not publicly available. The key public-facing leader is Steve Pugh, Chief Information Security Officer, who stated, "I'm the Chief Information Security Officer for the Intercontinental Exchange". The team size estimate is not publicly available, based on a LinkedIn search. There are 2 active AppSec job postings as of. Common skill/tool patterns mentioned in job postings include "static code analyzers (SAST)", "dynamic testing (DAST) tools", "software composition scanners", "Web Application Firewall (WAF)", "bug bounty programs", and common languages like "Java, C++.NET"and "Python". Gaps & Contradictions: Information not publicly available regarding the org chart showing AppSec reporting line, or a named AppSec manager or Head of Application Security (distinct from CISO) with a public bio.

Key Initiatives

A Security Champions Program status is "No Evidence Found", though job postings mention developer education: "Keeps software engineers apprised of secure coding practices.""Shift Left"practices include working "with development teams to establish security requirements early in the SDLC"and operating "the Application Development Security Lifecycle from design review". The Vulnerability Management Process involves intake via "Report a security concern"(linking to HackerOne VDP) and remediation support where AppSec "assists developers in remediation efforts". Information on SLAs, MTTR, and ticketing ownership is not publicly available. Secure SDLC Artifacts include operating "the Application Development Security Lifecycle from design review through automated and hands-on testing"and working "with development teams to establish security requirements early in the SDLC". Recent Initiatives (Last 6 Months) are not publicly available. Gaps & Contradictions: No public documentation located describing AppSec SLAs, formal remediation timelines, embedded/embedded-in-squads model, or an explicit security champions program.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.

Interested in this role?

Apply on LinkedIn