Engineering - Technology Risk Advisory – Application and Infrastructure Risk - VP - Tokyo

Location(s) JP-Minato-ku
Job ID
Schedule Type
Full Time
Business Unit
Technology Risk
Employment Type




At Goldman Sachs, our Engineers don’t just make things – we make things possible.  Change the world by connecting people and capital with ideas.  Solve the most challenging and pressing engineering problems for our clients.  Join our engineering teams that build massively scalable software and systems, architect low latency infrastructure solutions, proactively guard against cyber threats, and leverage machine learning alongside financial engineering to continuously turn data into action.  Create new businesses, transform finance, and explore a world of opportunity at the speed of markets.

Engineering, which is comprised of our Technology Division and global strategists groups, is at the critical center of our business, and our dynamic environment requires innovative strategic thinking and immediate, real solutions.  Want to push the limit of digital possibilities?  Start here.




Goldman Sachs Engineers are innovators and problem-solvers, building solutions in risk management, big data, mobile and more. We look for creative collaborators who evolve, adapt to change and thrive in a fast-paced global environment.




The position is for an experienced Technologist with experience in Application and Infrastructure Risk and Security with a primary focus on application security architecture, design and implementation reviews through code analysis and hands on testing where necessary. Experience with information security considerations and implementations in the underlying infrastructure will also be required.


This position is based in Tokyo as part of the Asia Pacific Technology Risk team. It is a demanding role requiring a broad understanding of the firm’s Information Security policies and controls and engagement with application development and infrastructure platform teams throughout the development lifecycle from design to implementation to ensure that security risks and vulnerabilities in the applications and infrastructure used by the firm are identified and remediated effectively.


The successful candidate for this role will provide effective leadership in information security and risk management for the firm by engaging with teams across the Technology Division and working with regional and global teams within Technology Risk to ensure the security of the firm’s applications and infrastructure. As a subject matter expert in application security and infrastructure risk controls the role will also require the individual to review, assess and respond to regulatory inquiries related to the firm’s information security policies and controls.


The position will report into the regional Head of Technology Risk.



Technology Risk acts as a risk advisor and control monitor for the Technology Division. Within Technology Risk, Risk Advisory is the consultative and Technology subject matter expertise arm, responsible for assessing new technology initiatives for risk, partnering with technology delivery groups to architect and design secure products and services, embedding implementation reviews as part of the SDLC via code analysis and penetration testing and guiding technology innovation in terms of security and control.



  • Drive adoption of embedded application security controls as part of the Software Development Life Cycle (SDLC)
  • Advise in leading edge engineering to protect Goldman Sachs’ network from security risks related to web, mobile, web services, and client/server architectures.
  • Assess applications and infrastructure for design related security risks and assist teams in determining appropriate remediation for issues identified
  • Drive the adoption and uplift of application security programs throughout the Asia Pacific region
  • Provide subject matter expertise and educate development teams on secure coding practices
  • Provide guidance on existing and emerging threats in the web and mobile application space
  • Contribute to the technical understanding and adoption of information security standards, solutions and tools
  • Perform Design Review of process-level application architectures to ensure appropriate control specification at design time (inter-process flows across discrete virtual address spaces, e.g. web servers, app servers, service layers, file system access, database access, batch processes, etc.)
  • Oversee Code Review and automated testing processes of application security control implementations in Java, C, C++, C#, and ASP.Net
  • Drive implementation of security controls in platforms in technology teams across the region



Basic Qualifications

Core Skills and Experience:

  • Native-level Japanese language (spoken and written)
  • Clear English communication skills, both verbally and in writing
  • Experience in application vulnerability assessment of web, thick-client, or mobile applications.
  • Expert knowledge of security risks related to web, mobile, web services, and client/server architectures.
  • Experience in analyzing and decomposing application architectures to identify security gaps.
  • Strong analytical, interpersonal, problem solving, organizational and time management skills
  • Ability to communicate status, risks, and technical details in a succinct, direct and open manner
  • Ability to engage in deep technical discussions with other Technology groups, as well as ability to convey the same concepts and issues at a high level to senior management


Technical Skills and Experience:


Understanding and experience with a combination of some, or all, of the following:


  • Application security tools such as fuzzers, scanners, debuggers, decompilers, proxies, simulators, etc.
  • Popular web application programming languages (Java, Javascript, C++, C#, Python, Perl, optionally Objective-C, etc.)
  • Common web stack technologies (e.g. HTTP, HTML5, AJAX, REST, etc.) and platforms (e.g. DropWizard, AngularJS, Tomcat, .Net, Sybase, MS SQL, MongoDB, etc.)
  • Core cryptography concepts (encryption, hashing, HMAC, digital signature) and how they are applied and attacked in web applications (e.g. TLS attacks, CBC attacks).
  • An understanding and knowledge of some or all of the following Technology areas and their impact on Information Security:
    • Windows and Unix/Linux operating systems
    • Network protocols such as TCP/IP
    • Common web-related and file transfer protocols such as http/https and ftp
    • Firewall and IDS/IPS technology
    • Voice and Audio-Visual platforms
    • Configuration and vulnerability management


Other Skills Necessary:


  • Be a strong agent for change. Be able to facilitate new processes and standards that could impact working environment / culture
  • The ability to work within an open, consensus based organization
  • The ability to manage and interact in a matrixed organization is essential
  • The ability to think “outside the box” and develop creative solutions to complex technical and process problems
  • Work effectively both independently and as part of a team, self-motivated and deadline driven
  • Strong customer service orientation
  • Individual must be goal oriented, and be able to work with others to achieve goals
  • Individual must be able to handle multiple interrupts and be able to multi-task effectively
  • Individual must be able to deal with a highly demanding client base and set client expectations appropriately
  • Excellent influencing skills at all levels and the ability to develop and maintain good relationships
  • Strong sense of ownership and accountability
  • Experience working in a distributed team with expectation for rapid escalation of issues and risks
  • Industry Certifications such as CISSP or GIAC Cyber Defense or Penetration Testing


Preferred Qualifications

  • Bachelor of Science in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security is preferred. Four (4) years of additional work experience may be substituted in lieu of a Bachelor’s Degree. Bachelors of Science/Arts in Forensic Computing, System/Computer Engineering, Data Science, Engineering, Operations Research, or Decision Science will be considered.
  • Coursework or experience in computer science, computer security, computer networking, system design, system integration, software development, emerging technologies, open source frameworks, encryption schemes, and application testing/penetration testing/reviews preferred.


The Goldman Sachs Group, Inc. is a leading global investment banking, securities and investment management firm that provides a wide range of financial services to a substantial and diversified client base that includes corporations, financial institutions, governments and individuals. Founded in 1869, the firm is headquartered in New York and maintains offices in all major financial centers around the world.

© The Goldman Sachs Group, Inc., 2018. All rights reserved Goldman Sachs is an equal employment/affirmative action employer Female/Minority/Disability/Vet.