Tracing its origins to 1585, Deutsche Börse Group has become one of the world's leading exchange organisations and an innovative market infrastructure provider. In this role, we provide investors, financial institutions and companies access to global capital markets. By creating trust in the markets of today and tomorrow we foster growth and contribute to the prosperity of future generations. Deutsche Börse Group is an international company, headquartered in Frankfurt/Main, Germany. With more than 6,700 employees, the company has a strong global presence for its customers all over the world, including Luxembourg, Prague, Chicago, London, Cork, New York and many other locations. Clearstream is a leading European supplier of post-trading services. The wholly owned subsidiary of Deutsche Börse ensures that cash and securities are promptly and effectively delivered between trading parties. Clearstream Luxembourg offers an international, diverse and inclusive working environment. There are numerous good reasons to work for us: high level of responsibility at an early stage, attractive benefits and a broad variety of career opportunities.

Clearstream Funds Service (CFS) IT department builds, maintains and operates a portfolio of applications which provide Clearstream clients state of the art solutions to standardise processing and to increase efficiency and safety in the investment funds sector. Our global funds processing platform Vestima allows for reaching all types of funds, from mutual funds to ETFs and hedge funds.

Your responsibilities

As part of the IT Engineering Unit acting in the domains of architecture, infrastructure and information security, you will report to the CFS IT Security Lead and take responsibilities in a broad range of application security engineering activities covering the entire CFS IT landscape. Your assignments will include:

Analysing and documenting the security of 20+ applications according to the criteria defined by the corporate Information Security department. Your expertise typically ranges from operating systems to Web applications and includes third-party software and public Cloud services

Identifying the information security impacts caused by business and technical projects, based on the projects' requirements and architecture

Performing and documenting the information security risk assessment of the applications along the ISO/IEC 2700x controls

Managing the open information security risks and vulnerabilities for the CFS IT landscape; accurately maintaining the corresponding risk and vulnerability registries; ensuring mitigating measures are properly assigned, implemented and delivered in due time

Defining application penetration test scope, scenarios and following-up on execution; analysing penetration test finding reports

Analysing the information security risks and vulnerabilities; designing, documenting and promoting innovative solutions at application level to mitigate them; analysing relevant third-party patches; analysing and implementing for specific information security projects (e.g. SIEM onboarding, Privileged Access Management...)

Closely interacting with IT development, infrastructure, operation and project management teams as well as with third-party vendors to collect information/communicate on technical security topics

Going hands-on with the CFS IT systems to extract necessary security design information when it is not readily available

Managing the relation with the corporate Information Security department, adequately interacting with their expert resources

Answering to information security enquiries coming from customers, corporate Information Security, or internal/external auditors

Your profile

Must have

University Degree (or equivalent) in computer science, with at least 5 years professional experience in IT

Very good technical writing skills; ability to clearly describe complex concepts

Good communication skills with the ability to justify and challenge security design decisions

Sound experience with critical multi-tier Web application security design as architect, security engineer or full-stack application designer

Solid background understanding of base information security concepts such as encryption, authentication, access control, digital signature, data integrity...

Practical experience with the following technologies: Web server, Git, TLS and public-key cryptography, Linux and Windows OS, at least one major Public Cloud Service Provider (Azure, AWS, Google), Shell scripting, RDBMS, Messaging middleware

Ability to digest various abstract requirements in the field of security, and map them to practical situations

At least basic software development skills in a modern object-oriented programming language

Proficiency in written and spoken English; French and German language skills are an asset

Highly desirable

Knowledge of ISO/IEC 2700x standard

Experience with enterprise application software development, esp. using Java and .net

Experience with identity management/federation/SSO platforms, esp. SAML2 and Open ID Connect

Experience with containers - ideally using Red Hat Open Shift

Experience with the specific security challenges posed by Internet-facing Web applications