Lead Engineer, Application Security

CNA National Warranty Corp•Scottsdale, AZ

1d•Hybrid

About The Position

CNA National is seeking a Lead Engineer, Application Security to play a critical dual role at the intersection of secure software development and hands-on engineering leadership. This position is ideal for a technologist who is passionate about building modern applications and ensuring they are secure by design. In this role, you will embed application security expertise directly into the engineering organization. Approximately half of your focus will be on application security—identifying vulnerabilities, guiding remediation efforts, and providing meaningful security metrics and reporting. The other half will be spent leading and contributing to the design, development, and delivery of applications built with Java and Angular. The ideal candidate naturally bridges security and engineering, influencing architecture decisions, mentoring development teams, and championing best practices that balance strong security with scalability, performance, and delivery speed. This position is based in our Scottsdale, AZ office. After completing an initial training period, the role offers a hybrid schedule with four days in the office and one remote day per week.

Requirements

Bachelor’s degree in Computer Science, Information Technology, or equivalent experience.
5+ years of hands-on application security engineering experience, including vulnerability assessment and remediation.
7+ years of software development experience with Java and Angular/AngularJS.
3+ years of experience in a technical leadership or lead engineering capacity.
Proficient in: Java, Spring Boot, Spring Security, REST Web Services, Microservices, JavaScript, TypeScript, AngularJS, Angular, HTML, CSS, JUnit, Mockito, Git, Maven, and SQL.
Hands-on experience with enterprise application security scanning platforms such as Veracode, Checkmarx, Fortify, or similar tools, including SAST, DAST, and SCA scan configuration, results interpretation, and developer-facing remediation guidance.
Strong understanding of the OWASP Top 10 and how vulnerabilities manifest in enterprise Java and JavaScript applications.
Experience securing REST APIs, including OAuth2, JWT, and Spring Security implementations.
Demonstrated ability to produce clear vulnerability reports with severity ratings, impact assessments, and recommended mitigations for both technical and non-technical audiences.
Experience in project estimation, requirements gathering, system design, agile story creation, release support, and agile methodologies.
Strong written and verbal communication skills with the ability to engage both development teams and IT leadership effectively.
Excellent analytical and problem-solving abilities with strong attention to detail.
Team-oriented, adaptable, and motivated to support both engineering excellence and organizational security goals.

Nice To Haves

Preferred knowledge in: GitHub Copilot, AI-assisted security tooling, AWS, GCP, Drupal, Jasmine, Karma, IntelliJ, Eclipse, STS, WebStorm, Rancher, Jira, PL/SQL, Checkmarx, Fortify, or Burp Suite.
Security certifications such as CSSLP, CEH, GWAPT, or equivalent application security credentials are a plus.

Responsibilities

Conduct application security assessments and vulnerability scans using Veracode (SAST, DAST, and SCA) across Java, Spring Boot REST services, AngularJS, and Angular applications.
Analyze, prioritize, and track security findings through their full remediation lifecycle, ensuring timely resolution and appropriate escalation.
Hands-on remediate security vulnerabilities directly in Java, Spring Boot, AngularJS, and Angular codebases, while also guiding developers on secure coding practices and mitigation techniques specific to the Java and JavaScript ecosystem.
Review, assess, and implement REST API security controls hands-on, including coding authentication, authorization, input validation, and data protection solutions directly within Spring Boot services.
Produce clear, well-structured vulnerability reports and executive summaries for both technical teams and leadership.
Establish and maintain application security policies, standards, and guidelines aligned with OWASP and industry best practices.
Participate in Architecture Review Board discussions to identify and address security risks in proposed designs.
Evaluate AI-generated code from tools such as GitHub Copilot for security risks and guide developers on safe AI-assisted development practices.
Leverage AI-assisted security tooling to accelerate vulnerability detection, triage, and remediation workflows.
Support compliance and audit activities related to application security controls.
Take full ownership of team deliverables, ensuring quality, stability, and resilience of applications.
Establish and enforce coding standards and development practices for high-quality, secure software delivery.
Serve as the technical lead for major system components, guiding architecture and technical decisions while remaining an active, hands-on contributor to the codebase.
Actively design, write, review, and maintain code for scalable user interfaces and services, contributing directly to efficient, responsive applications built on Java, Spring Boot, Angular, and microservices architectures.
Understand data flows and system integrations to support solution design, and write code directly to facilitate defect resolution and system improvements.
Identify and resolve performance issues, defects, and system inefficiencies through direct, hands-on code contributions or delegating fixes to others as needed.
Act as the primary technical liaison with stakeholders, translating requirements into scalable solutions and managing expectations.
Foster a culture of accountability, security awareness, and continuous improvement through coaching and mentoring.