Associate Principal, Application Security


All OCC employees are required to disclose their COVID-19 vaccination status to OCC’s Human Resources department, and provide acceptable proof of vaccination status, as applicable. In addition, OCC requires employees who enter one of its offices to be fully vaccinated against COVID-19 or submit to regular testing as a condition of employment, subject to reasonable accommodation.
Who We Are
The Options Clearing Corporation (OCC) is the world's largest equity derivatives clearing organization. Founded in 1973, OCC is dedicated to promoting stability and market integrity by delivering clearing and settlement services for options, futures and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. OCC has more than 100 clearing members and provides central counterparty (CCP) clearing and settlement services to 19 exchanges and trading platforms. More information about OCC is available at www.theocc.com.

What We Offer
A highly collaborative and supportive environment developed to encourage work-life balance and employee wellness. Some of these components include: 
A hybrid work environment, up to 3 days per week of remote work
Tuition Reimbursement to support your continued education
Student Loan Repayment Assistance
Technology Stipend allowing you to use the device of your choice to connect to our network while working remotely
Generous PTO and Parental leave 
Competitive health benefits including medical, dental and vision

What You'll Do

This position works closely with other members of the Security Services, IT Development Teams and Quality Assurance teams to support application and software security initiatives, projects, and operations. 

Responsibilities include performing, supporting, and troubleshooting the following: automated security scanning tools, manual pentesting, CI/CD pipeline tools with developers, cloud systems architecture. Additional program-level activities to include development and implementation of security best practices in the technology delivery process and collaborating with application teams in the development of secure applications and integration of custom and commercial software with security infrastructure to support the confidentiality, integrity and availability of enterprise applications.
Primary Duties and Responsibilities: 
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.  

CICD Pipeline
•    Develop scripts and write containers to integrate Security tools into the development pipeline
•    Assist development teams with interpreting results from pipeline verification reports to facilitate vulnerability remediation
•    Troubleshoot developer issues with running security scans in the pipeline

Application Security Testing
•    Assist with application penetration testing
•    Assist with retesting vulnerabilities to verify the development teams have remediated 
•    Review reports of the testing and conduct security risk assessment of the vulnerabilities
•    Conduct code scans using automated tools and risk rate the vulnerabilities according to the organization risk profile and mitigating controls. 
•    Conduct IT/Security code review meetings to eliminate false positives and encourage collaboration between Security and IT development teams
•    Assist with application security vulnerability management including implementation of new vulnerability management tools 

Documentation and Process Improvement
•    Assist in the development of metrics documentation to track the burndown rate of vulnerability remediation
•    Assist in the development of security engineering documentation: 
o    Explore opportunities for updates to Security Engineering policies and standards
o    Assist with the development and periodic review of Security controls, policies, and procedures in close coordination with Security managers

•    Participate in the improvement of security engineering processes
•    Help gather evidence of security testing processes for audits
•    Work with development team and Q/A to create development lifecycle documentation, provides integrated systems planning which will enhance current systems and support corporate, business and system goals.
•    Identify automation opportunities and help with department automation efforts

Department Tasks
•    Suggest security controls and practices to be integrated in the SDLC phases and participation in Security Engineering SDLC activities and toll gates
•    Create clear and concise reports of security analysis for SDLC artifacts and security reviews during change management process 
•    Collaborate and brainstorm with the Security Engineering team on new application and application infrastructure technology components
•    Execute self-testing of Security controls and processes
•    Coordinate execution of continuous testing roadmap exercises
•    Provide input into training on security best practices for application developers, architects and testers and coordinate the execution of training plans
•    Participate in the change management process, assist with evaluating the security impact of changes, and suggest controls and make conclusions to approve or reject the change requests

Supervisory Responsibilities:    

•    None

The requirements listed are representative of the knowledge, skill, and/or ability required.  Reasonable accommodations may be made to enable individuals with disabilities to perform the primary functions.    

•    Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.
•    Highly motivated individual that assumes ownership of their projects
•    Ability to act as a liaison between security and the development, IT, and QA teams.
•    Strong desire and capacity to learn and support new technical applications
•    Exceptional verbal communication skills that include the ability to articulate ideas clearly and concisely
•    Ability to write clear and concise documentation

•    Knowledge of security principles – Training and / or education preferred
•    Experience administering and interpreting results from security scanning tools
•    Experience working in the financial industry
Technical Skills:    

•    Knowledge of scripting languages including Java, C++, Python, JavaScript, Bash
•    Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
•    Knowledge of security architecture design and principles including confidentiality, integrity and availability.
•    Knowledge of automated code scanning tools (i.e.,) and development pipeline tools (i.e.,)
•    Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
•    Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, Active Directory, and LDAP)
•    General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
•    Fundamental understanding of network and data communications technologies      
•    Knowledge of (AWS, Azure, GCP) Cloud security concepts, best practices, and environments
•    Knowledge of Secure DevOps concepts
Education and/or Experience:    

•    Bachelors degree in Cybersecurity, Computer Science, Management Information Systems, or related field or the equivalent combination of education and/or relevant experience
•    Experience writing scripts and working with containers in a CI/CD pipeline
•    At least 3+ year experience in Security-related roles or equivalent training/knowledge of security best practices and OWASP and NVD
•    Experience with SDLC and working with business users, database analysts, system architects, etc., to identify and prioritize requirements
•    Exposure to security architecture design through application development or knowledge of security concepts/best practices
•    Previous work in development, architecture or quality assurance testing may be applicable to the position requirements.            


  • Experience or relevant training in Terraform and cloud platforms such as AWS
  • Experience with Java programming including Java Servlets, JSP, J2EE, Spring.
  • Experience with J2EE applications and infrastructure including IBM WebSphere Application Server, WebSphere Portal, BEA Weblogic solutions and development.

Experience with agile methodologies and Jira                                                 
Certificates or Licenses:    

•    Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
•    Cloud security automation certifications a plus (i.e. GCSA)
•    Penetration testing certifications a plus (i.e. OSCP, GWAPT)

Step 1
When you find a position you're interested in, click the 'Apply' button. Please complete the application and attach your resume.  

Step 2
You will receive an email notification to confirm that we've received your application.

Step 3
If you are called in for an interview, a representative from OCC will contact you to set up a date, time, and location. 

For more information about OCC, please click here.

OCC is an Equal Opportunity Employer

Apply About OCC
  • REQ-2510
  • Chicago - 125 S Franklin
  • Full Time Regular
  • Posted: Jun. 30, 2022

How to Apply

Step 1 - When you find a position you're interested in, click the 'Apply' button. Please complete the application and attach your resume.

Step 2 - You will receive an email notification to confirm that we've received your application.

Step 3 - If you are called in for an interview, a representative from OCC will contact you to set up a date, time, and location.

OCC is an Equal Opportunity Employer

Numerous studies have shown that people from groups that are traditionally under-represented in financial services apply to jobs only if they believe they meet 100% of the requirements. We want to break down this mindset to further diversify our workforce.

We encourage you to review our open positions and apply if you think your experience may be a match, even if you do not meet all of the qualifications. Your perspective may be an element we need to continue building innovative solutions to support the markets and market participants we serve.

OCC is a globally recognized entity that clears a multitude of diverse and sophisticated products. We want to reflect this in the diversity of our workforce.

Your acceptance of all cookies will permit robust site functionality. If you don't allow cookies, some features and functionality of OCC's site may not operate as expected. If you do not choose either cookie setting for our site, or if you close this window, this message will continue to display on each page you visit. Cookie settings can be controlled in your Internet browser to automatically reject some forms of cookies. For more details on cookies this site uses, see our OCC Site Cookies page. In addition to using cookies, we retain other information, including your Internet Protocol (IP) address, for the purposes listed in the Privacy Policy. Do not accept analytic cookies Accept analytic cookies