This is a high-impact, hands-on role reporting directly to the CISO, with a clear growth path to AppSec Lead and exposure to GRC, cloud, and AI security.
What Youll Do
Secure SDLC & Application Security
Own and continuously evolve Secure SDLC (SSDLC), integrating security gates from design to deployment.
Lead threat modeling (STRIDE / PASTA / attack trees) for new features, architectural changes, and AI components.
Perform and oversee secure code reviews, design reviews, and security architecture reviews – and pair directly with developers on remediation, reference fixes, and reusable secure patterns / "paved-road" libraries.
Manage and operate the SAST, DAST, IAST, SCA, and secret-scanning stack; tune rules, triage findings, drive remediation, and reduce noise.
Define and enforce AppSec policies, secure-coding guidelines, and standards aligned with OWASP Top 10, ASVS, and SAMM.
Software supply-chain security: SBOM generation/analysis, open-source component risk, and dependency hygiene across R&D.
Strong, hands-on software engineering background – 5+ years building and shipping production software in a team (e.g., Java, JavaScript/TypeScript, Python, Node, React, etc.). You've designed, written, reviewed, debugged, and maintained real systems and understand engineering trade-offs and processes – not solely AI-assisted/low-code generation. This depth is what makes your security guidance credible to developers.
Bachelor's degree in Computer Science, Information Security, or related field (or equivalent experience)
2+ years focused on application/product security, or a clear, demonstrated transition from engineering into AppSec.
Experience in Secure SDLC implementation across modern CI/CD environments (GitHub/GitLab, Jenkins, ArgoCD, etc.).
Hands-on with SAST, DAST, SCA, and secret-scanning tools (e.g., Checkmarx, Snyk, SonarQube, Semgrep, Trivy; Burp/ZAP a plus).
Working knowledge of OWASP Top 10, ASVS, SAMM, CWE/SANS Top 25, and threat modeling (STRIDE/PASTA).
Secure API development (REST/GraphQL) and cloud security fundamentals (AWS preferred; IAM, containers/Kubernetes, IaC/Terraform).
