Engineer, Application Security

About The Position

Requirements

• Strong understanding of application security fundamentals and common vulnerability classes (e.g., OWASP Top 10) and secure coding practices.
• Experience conducting threat modeling and security design reviews; ability to identify abuse cases, trust boundaries, and mitigations.
• Hands-on experience with application security testing methodologies and tools (SAST/DAST/SCA, secrets scanning); ability to interpret results and drive remediation.
• Experience integrating security checks into CI/CD pipelines and developer workflows; familiarity with Git-based workflows and modern build/release practices.
• Ability to prioritize findings using risk context (asset criticality, exposure, exploitability, data sensitivity).
• Strong written and verbal communication skills; ability to translate security requirements into practical engineering actions.
• Experience securing cloud-native applications (AWS preferred; Azure exposure a plus) and modern architectures (APIs, containers, microservices, serverless).
• Familiarity with container and IaC security concepts (image scanning, Kubernetes security concepts, Terraform/CloudFormation scanning).
• Scripting/automation skills (Python, PowerShell, or similar) to improve scale and reduce manual work.
• Familiarity with secrets management tooling and practices (vaults, key management, rotation workflows).
• Familiarity with secure SDLC governance and control mapping to common frameworks (NIST CSF, CIS Controls, NIST 800-53).
• Bachelor’s degree in Computer Science, Software Engineering, Information Security, or related field; or equivalent practical experience.
• 3–8+ years of experience in application security, secure software engineering, DevSecOps, or software development with significant security responsibilities.

Nice To Haves

• Azure exposure

Responsibilities

• Reduces application and software risk by embedding security into the secure software development lifecycle (SSDLC).
• Partners closely with engineering, infrastructure, and product teams to design secure architectures, perform threat modeling, implement security testing and CI/CD controls, and drive remediation of vulnerabilities.
• Helps evaluate and shape security practices for emerging AI and agentic tools, including GenAI assessments and guardrail development as these programs mature.
• Develops practical security standards, builds and operates a vulnerability operations function, improves developer enablement through reusable patterns and automation, and supports investigations related to application vulnerabilities, insecure configurations, or software supply chain risk.
• Aligns all actions and responsibilities with KeHE’s Mission, Vision, and Values.

Benefits

• Health/Rx
• Dental
• Vision
• Flexible and health spending accounts (FSA/HSA)
• Supplemental life insurance
• 401(k)
• Paid time off
• Paid sick time
• Short term & long term disability coverage (STD/LTD)
• Employee stock ownership (ESOP)
• Holiday pay for company designated holidays