Lead Application Security Engineer

About The Position

Requirements

• Strong knowledge of application security concepts, secure coding practices, and common vulnerabilities (e.g., OWASP Top 10).
• Hands-on experience with security testing tools such as SAST, DAST, SCA, fuzzing, and API testing platforms.
• Proficiency with GitHub or similar development platforms and integration of security into CI/CD pipelines.
• Ability to evaluate and implement automation strategies for AppSec processes.
• Comfortable working directly with developers, architects, product owners, and other stakeholders.
• Experience presenting complex security findings to both technical and non-technical audiences.
• Strong leadership and mentoring abilities to encourage adoption of secure development practices.
• Familiarity with SOC operations, incident response workflows, and integrating AppSec into broader enterprise security practices.
• Understanding of vulnerability management and risk prioritization processes in large organizations.
• 5+ years of professional experience in information security with a focus on application security.
• Previous experience as a developer or working closely with software development teams is strongly preferred.
• Candidates should be comfortable with an on-site presence to support collaboration, team leadership, and cross-functional partnership.

Nice To Haves

• Certifications such as GWAPT, GWEB, CSSLP, OSWE, or other relevant industry credentials are a plus.
• Proven experience leading security initiatives at scale in enterprise environments, ideally within financial services or other highly regulated industries.

Responsibilities

• Application Security Program Leadership Lead the organization’s Application Security (AppSec) program with a focus on continuous improvement and measurable outcomes.
• Define and enforce AppSec strategy, roadmap, and KPIs in alignment with enterprise security goals.
• Partnership with Development Teams Collaborate with software engineering teams to integrate security controls, best practices, and policies throughout the SDLC.
• Promote a "security by design" culture by coaching and mentoring developers on secure coding practices.
• Support threat modeling, secure code reviews, and security architecture discussions.
• Security Tooling and Integration Implement, configure, and maintain application security tooling (SAST, DAST, SCA, IaC scanning, container security).
• Integrate security checks into CI/CD pipelines using GitHub and other platforms.
• Evaluate emerging technologies and recommend tools that enhance automation and scalability.
• Monitoring, Incident Response, and Metrics Partner with SOC analysts to investigate application-layer alerts, incidents, and vulnerabilities.
• Track and report key security metrics, including vulnerability remediation timelines, pipeline coverage, and compliance with policies.
• Provide executive reporting and actionable insights on AppSec maturity and risk reduction progress.

Benefits

• Physical Wellness: Comprehensive medical insurance, dental insurance, and vision insurance; life and disability insurance; fertility benefits; wellness resources; and paid sick time.
• Mental Wellness: Generous paid time off and holidays; Employee Assistance Program (EAP); and a complimentary Calm app subscription.
• Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account (HSA) and Flexible Spending Account (FSA) options; commuter benefits; and employee discount programs.
• Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; and pet insurance coverage.