Apply Now Clicking "Apply Now" opens the link in a new window.

How to Apply

A cover letter is required for consideration for this position and should be attached as the first page of your resume. The cover letter should address your specific interest in the position and outline skills and experience that directly relate to this position.

Information Assurance: Michigan Medicine 

The Information Assurance: Michigan Medicine (IA:MM) team was established to protect systems, data, and identities that Michigan Medicine relies upon. The team educates and prepares staff and students for increasing cyber threats, and proactively mitigates IT security risks in partnership with the greater U-M community. The IA:MM team enables teaching, learning, research, and healthcare in a large, open environment by helping to balance risks and threats. IA:MM collaborates and coordinates with university efforts and participates in the development of university-wide security, compliance, and privacy strategies and strives to implement best practice cybersecurity efforts.

Job Summary

The University of Michigan's Information Assurance team at Michigan Medicine (IA:MM) is seeking a candidate to fulfill the role of Software Security Analyst Intermediate. This role will support reducing risks to the confidentiality, integrity, and availability of Michigan Medicine assets due to defects in software that it produces or utilizes.

Responsibilities*

Software Design/Architecture/Implementation

  • Ascertain, monitor, and improve the security of software produced by Michigan Medicine
  • Perform software/application security testing
  • Engage in the software development processes of development groups at multiple touch points to ensure that software security is adequately addressed
  • Support compliance with the official UM Software Security Standards
  • Translate software security metrics into actionable intelligence for management/leadership

Software Development Support

  • Raise the security competency of the Michigan Medicine software development community
  • Select or provide secure software development training for developers
  • Select software development tools that will support secure programming practices
  • Support software development tools that allow data collection and reporting at an enterprise level
  • Provide mentorship to software developers in secure development practices
  • Assist in establishing required developer competency levels and a means for testing and monitoring required competencies
  • Promote cross-development group collaboration and information sharing about secure software development practices
  • Conduct software development maturity evaluations for entire development groups using either internal or external resources
  • Maintain an inventory of software development groups, developers, and the software they develop

Third-Party Application Security

  • Ensure that software obtained from outside sources is securely designed and implemented

General

  • Continually improve security service solutions and offerings by keeping up-to-date on security conferences, seminars, reading, research, and testing
  • Develop sound relationships with internal and external customers by providing accurate and effective support
  • Serve as a concierge to locate suitable external security resources

Required Qualifications*

  • Bachelor’s degree in computer science, computer engineering, information assurance/security, or a related field and/or equivalent combination of education, certification and experience
  • Minimum of 5 years’ experience developing software with significant security requirements or in the assessment of software/application security

Basic Security

  • Familiarity with authentication/authorization methods, including multifactor authentication
  • Familiarity with with security concepts such as least privilege, RBAC, cryptographic hashes, encryption, and logging

General Software Development

  • Experience working in a production software development environment
  • Familiarity with software/application patching
  • Familiarity with change control and change management

Secure Software Development

  • Familiarity with threat modeling concepts, such as S.T.R.I.D.E: Spoofing of user identity, Tampering, Repudiation, Information disclosure, Denial of service), and Elevation of privilege
  • Familiarity with secure coding guidelines, such as the OWASP Secure Coding Guidelines
  • Experience in applying principles and design patterns of secure software architecture

Code Review and Testing

  • Experience with conducting code reviews
  • Familiarity with software testing concepts and principles, including input validation testing, fuzzing, static/dynamic analysis, black box/white-box testing, unit tests, integration testing, code coverage, boundary condition testing, and race condition testing

Language/Framework/Platform Familiarity

  • Working knowledge of virtualization/container technologies
  • Familiarity with a variety of languages, frameworks, and web/application servers, and operating systems/platforms. Examples may include, but are not limited to:
  •  Languages: C/C++, C#, ColdFusion, Objective-C, Swift, Java, Python, Perl, PHP, Bash, JavaScript, HTML/CSS, SQL, XML/XSLT, PowerShell, and assembly
  • Frameworks: AngularJS, Asp.Net, Dojo, ESAPI, Fusebox, Node.JS, Prototype/script.aculo.us, Tapestry, Spark, Spring, and Zend
  • Web/application servers: JBoss and Resin
  • Operating systems/platforms: Windows, iOS, Linux, OS X, and Android

Reverse Engineering

  • Ability to reverse engineer system design from source code

General

  • Ability to work independently and proactively
  • Excellent organizational, analytical, and independent problem-solving skills
  • Ability to communicate effectively, both verbally and in writing
  • Demonstrated success coordinating and completing multiple tasks within established and changing deadlines
  • Ability to contribute and collaborate effectively as a lead member of a highly-functioning and productive team

 

Desired Qualifications*

  • Certifications such as CISSP, GIAC-GSEC, GSSP-.NET, GSSP-Java, GWEB, or GWAPT
  • Experience in a healthcare environment
  • Experience with Agile development
  • Experience with DevOps
  • A Master’s degree in computer science, information assurance/security, or a related field and/or equivalent combination of education, certification and experience
  • Active participation in the information security community
  • Experience in giving security-related conference presentations
  • Experience in conducting security training
  • Familiarity with application exploit principles and techniques
  • Familiarity with disassemblers and debuggers
  • Ability to reverse engineer software available only in binary form
  • Experience with web application penetration testing

Background Screening

Michigan Medicine conducts background screening and pre-employment drug testing on job candidates upon acceptance of a contingent job offer and may use a third party administrator to conduct background screenings.  Background screenings are performed in compliance with the Fair Credit Report Act. Pre-employment drug testing applies to all selected candidates, including new or additional faculty and staff appointments, as well as transfers from other U-M campuses.

Mission Statement

Michigan Medicine improves the health of patients, populations and communities through excellence in education, patient care, community service, research and technology development, and through leadership activities in Michigan, nationally and internationally.  Our mission is guided by our Strategic Principles and has three critical components; patient care, education and research that together enhance our contribution to society.

Application Deadline

Job openings are posted for a minimum of seven calendar days.  This job may be removed from posting boards and filled anytime after the minimum posting period has ended.

U-M EEO/AA Statement

The University of Michigan is an equal opportunity/affirmative action employer.