Application Security Principal

Company Summary Statement

As one of the largest investor-owned utility companies in the United States, PPL Corporation (NYSE: PPL), is committed to creating long-term, sustainable value for our 3.5 million customers, our shareowners and the communities we serve. Our high-performing regulated utilities — PPL Electric Utilities, Louisville Gas and Electric, Kentucky Utilities and Rhode Island Energy — provide an outstanding experience for our customers, consistently ranking among the best utilities in the nation. PPL’s companies are also addressing challenges head-on by investing in new infrastructure and technology that is creating a smarter, more reliable and resilient energy grid. We are committed to doing our part to advance a cleaner energy future and drive innovation that enables us to achieve net-zero carbon emissions by 2050 while maintaining energy reliability and affordability for the customers and communities we serve. PPL is a positive force in the cities and towns where we do business, providing support for programs and organizations that empower the success of future generations by helping to build and maintain strong, diverse communities today.

Overview

The Cybersecurity organization advances the overall state of security at PPL through critical initiatives and coordination of large security and customer-focused projects. The organization builds and procures technologies, tools, and processes to better enable teams at PPL to develop secure platforms and protect data and systems with appropriate security controls. IT Cybersecurity also develops systems to monitor and respond to attacks against our systems, provides educational awareness to the corporation on security best practices, and ensures data sharing relationships with third parties securely protects PPL information.

PPL is seeking a highly skilled Application Security Principal to join our Cybersecurity organization. In this role, you will work closely with our Product Cybersecurity Manager to ensure the security and integrity of our applications and software products. You will provide expert guidance, conduct security assessments, and help shape the security posture of our products. If you are passionate about application security and have a deep understanding of modern software development practices, this position is ideal for you. #LI-Hybrid

Responsibilities

• Using a Secure by Design approach, design and implement, in coordination with Enterprise Architecture and Product Development teams, secure application architecture themeet the organization’s requirements.

• Develop and/or expand threat modeling governance frameworks, including policy/procedure creation, risk assessments, and establishment of metrics.

• Develop and maintainestablished security requirements and best practices for application development and deployment.

• Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security requirements.

• Conduct risk assessments for applications to identify potential vulnerabilities and threats.

• Oversee and coordinate security testing activities, including static code analysis, dynamic application security testing, penetration testing, and code reviews.

• Develop a security risk management planand execute strategies to mitigate/address identified risk by working with the Product Development teams.

• Evaluate, implement, and manage security tools and technologies that enhance the security posture of applications.

• Educate development teams on established security requirements and best practices.

• Collaborates with business and technical owners, while engaging relevant SME’s, to establish compliance standards and trackable metrics

• Maintain Knowledge and stay up to date on developing security technologies and integrate new technologies into architecture designs, where applicable.

• Provide guidance, coaching, and support in the development of junior staff members.

• All other duties and projects as assigned.

Qualifications

Education

• Bachelor’s degree in Computer Science, Information Security, and/or a related field or an equivalent level of work related experience.

Experience

• A minimum of 10+ years of experience in cybersecurity with a focus on software development, secure by design principles, and/or security architecture.

• Proficiencyin conducting security testing, including vulnerability scanning, and static and dynamic code analysis.

• Expertise in system hardening, including vulnerability assessment, penetration testing, and configuration management.

• Expertise in designing secure architectures using established frameworks

• Experience in application security tools and IDE Plug-in environments, including HP Fortify.

• Experience with securing enterprise web applications and OWASP Top 10, CVSS, CWE, WASC, and SANS-25.

• Experience in the use of threat modeling tools, and understanding of frameworks such as STRIDE and PASTA.

• Cloud Technology Expertise: Demonstrate a working knowledge of various enterprise technology stacks used to build applications in the cloud. Your understanding of cloud infrastructure will enable you to assess security aspects unique to cloud-based mobile applications and APIs.

• Cloud Platform Experience: Possess working knowledge and practical experience in security testing within cloud platforms, particularly Azure. Your familiarity will be crucial for assessing the security of cloud-hosted mobile applications and APIs.

• Experience in Cloud Native Security practices and technologies including Container security, Serverless security, Kubernetes security and Threat detection.

• Experience in utilizing Cloud Native Security Tools and Platforms such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), and Cloud Access Security Brokers (CASB).

• Experience working in Agile teams and have knowledge of Agile principles and practices.

• Knowledge of federal compliance standards, including NIST 800-53 and NIST CSF.

• Ability to follow outlined processes and procedures with high degree of accuracy.

• Strong analytical skills to assess risks and vulnerabilities in complex systems.

• Strong leadership, communication, and interpersonal skills.

• Collaborative and effective in cross-functional team environments.

Preferred Qualifications

• Professional certifications such as CISSP, CSSLP, or CEH

• Proficiency in scripting and automation for security testing.

• Experience with AWS and Google Cloud services

• Experience utilizing the Scaled Agile Framework (SAFe)

• Experience in securing Artificial Intelligence, Machine Learning, etc and maintaining integrity of those powered solutions.

Education

• Bachelor’s degree in Computer Science, Information Security, and/or a related field or an equivalent level of work related experience.

Experience

• A minimum of 10+ years of experience in cybersecurity with a focus on software development, secure by design principles, and/or security architecture.

• Proficiencyin conducting security testing, including vulnerability scanning, and static and dynamic code analysis.

• Expertise in system hardening, including vulnerability assessment, penetration testing, and configuration management.

• Expertise in designing secure architectures using established frameworks

• Experience in application security tools and IDE Plug-in environments, including HP Fortify.

• Experience with securing enterprise web applications and OWASP Top 10, CVSS, CWE, WASC, and SANS-25.

• Experience in the use of threat modeling tools, and understanding of frameworks such as STRIDE and PASTA.

• Cloud Technology Expertise: Demonstrate a working knowledge of various enterprise technology stacks used to build applications in the cloud. Your understanding of cloud infrastructure will enable you to assess security aspects unique to cloud-based mobile applications and APIs.

• Cloud Platform Experience: Possess working knowledge and practical experience in security testing within cloud platforms, particularly Azure. Your familiarity will be crucial for assessing the security of cloud-hosted mobile applications and APIs.

• Experience in Cloud Native Security practices and technologies including Container security, Serverless security, Kubernetes security and Threat detection.

• Experience in utilizing Cloud Native Security Tools and Platforms such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), and Cloud Access Security Brokers (CASB).

• Experience working in Agile teams and have knowledge of Agile principles and practices.

• Knowledge of federal compliance standards, including NIST 800-53 and NIST CSF.

• Ability to follow outlined processes and procedures with high degree of accuracy.

• Strong analytical skills to assess risks and vulnerabilities in complex systems.

• Strong leadership, communication, and interpersonal skills.

• Collaborative and effective in cross-functional team environments.

Preferred Qualifications

• Professional certifications such as CISSP, CSSLP, or CEH

• Proficiency in scripting and automation for security testing.

• Experience with AWS and Google Cloud services

• Experience utilizing the Scaled Agile Framework (SAFe)

• Experience in securing Artificial Intelligence, Machine Learning, etc and maintaining integrity of those powered solutions.

• Using a Secure by Design approach, design and implement, in coordination with Enterprise Architecture and Product Development teams, secure application architecture themeet the organization’s requirements.

• Develop and/or expand threat modeling governance frameworks, including policy/procedure creation, risk assessments, and establishment of metrics.

• Develop and maintainestablished security requirements and best practices for application development and deployment.

• Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security requirements.

• Conduct risk assessments for applications to identify potential vulnerabilities and threats.

• Oversee and coordinate security testing activities, including static code analysis, dynamic application security testing, penetration testing, and code reviews.

• Develop a security risk management planand execute strategies to mitigate/address identified risk by working with the Product Development teams.

• Evaluate, implement, and manage security tools and technologies that enhance the security posture of applications.

• Educate development teams on established security requirements and best practices.

• Collaborates with business and technical owners, while engaging relevant SME’s, to establish compliance standards and trackable metrics

• Maintain Knowledge and stay up to date on developing security technologies and integrate new technologies into architecture designs, where applicable.

• Provide guidance, coaching, and support in the development of junior staff members.

• All other duties and projects as assigned.

Remote Work

The company reserves the right to determine if this position will be assigned to work on-site, remotely, or a combination of both. Assigned work location may change. In the case of remote work, physical presence in the office/on-site may be required to engage in face-to-face interaction and coordination of work among direct reports and co-workers.

Equal Employment Opportunity

Our company is an equal opportunity, affirmative action employer dedicated to diversity and the strength it brings to the workplace. All qualified applicants will receive consideration for employment without regard to race, color, age, religion, sex, national origin, protected veteran status, sexual orientation, gender identify, genetic information, disability status, or any other protected characteristic.