Manager, Application Security

Cast & Crew

27d

About The Position

At Cast & Crew, we’ve empowered creativity and supported the global entertainment industry for decades. Together with our family of brands - Backstage, CAPS, Checks & Balances, Final Draft, Media Services, Sargent-Disc, and The TEAM Companies – we operate as a combined entertainment technology and services provider offering industry standard screenwriting accounting software, digital payroll products, data & reporting, and a host of creative tools. The industry continues to move faster than ever, and the need for our expertise, our technology, and our people has never been greater. We are a production’s best ally every step of the way. #OneCastOneCrew We’re not looking for a security manager who used to write code. We’re looking for an engineer who happens to also lead people. The Manager, Application Security will own Cast & Crew’s application security program end-to-end — from threat modeling and code review to exploit development, red teaming, and building the tooling and pipelines that catch vulnerabilities before they ship. You will be deeply embedded in the engineering organization, embedded in pull requests, embedded in architecture conversations, and embedded in the minds of the developers you partner with. This role sits at the intersection of elite offensive security skills, deep software engineering fluency, and the ability to lead and develop a small but high-impact team. You will report to the CISO and work closely with the VP of Engineering and product teams across a complex, multi-product environment handling sensitive payroll, financial, and production data for major studios and streaming platforms. If you read CVEs for fun, have strong opinions about parser differentials, and can pivot from reviewing a threat model to writing a PoC exploit to coaching a junior engineer — this role was written for you. As the Manager of Product Security, you will build and lead a team responsible for embedding security into every phase of our software development lifecycle. You'll work at the intersection of application security, cloud infrastructure security, and DevSecOps, partnering closely with engineering, operations, and product teams to ensure that security is not an afterthought but a foundational element of everything we build. This is a leadership role for someone who is equally comfortable setting strategic direction, mentoring team members, and rolling up their sleeves to solve complex technical security challenges. You will manage a team of security engineers and analysts, drive our DevSecOps transformation, participate in architecture reviews, and champion a "shift left" security culture across the organization. If you're passionate about building secure software at scale, thrive in a collaborative environment, and want to make a tangible impact on an industry that touches millions of workers, we want to hear from you.

Requirements

7+ years in application security, offensive security, or product security — with hands-on technical depth throughout. Not 7 years of managing AppSec programs from a distance. You write code.
Not just scripts — real, production-quality code. Python, Go, Java, or similar. Security engineers who can’t code are a hard pass.
Deep, demonstrable expertise in at least three of the following:
Web application hacking: SQLi, XSS, SSRF, deserialization, auth flaws, business logic — you find these manually, not just with a scanner
Secure code review across multiple languages and frameworks
API security: REST, GraphQL, gRPC — you know where the attack surface lives
Cloud-native application security on AWS (IAM abuse, metadata service attacks, misconfigured S3/Lambda/ECS)
CI/CD pipeline security and DevSecOps toolchain integration
Exploit development, PoC writing, or red team operations
Fuzzing, static analysis, or custom security tooling development
2+ years managing or leading security engineers, including mentorship and performance ownership.
Strong understanding of the entire vulnerability lifecycle: discovery, triage, reproduction, remediation validation, and root cause.
Experience working directly inside engineering orgs — reading PRs, attending standups, influencing architecture. Not operating from a separate security silo.
Can communicate technical risk clearly to both engineers and executives. No jargon substitutes for clarity.

Nice To Haves

CVEs to your name, bug bounty hall of fame credits, published research, CTF competition history, or an equivalent public body of offensive security work.
OSCP, OSED, OSWE, GWAPT, or similar offensive certifications. CISSP alone is not sufficient signal for this role.
Experience building internal security tooling from scratch — not just configuring vendor products.
Background in software development prior to moving into security. Engineers who crossed over understand how developers think.
Experience in regulated environments handling PII, financial data, or payroll data — SOC 2, NIST 800-53, CCPA familiarity.
Familiarity with secrets management (HashiCorp Vault, AWS Secrets Manager), container security, and IaC security (Terraform, CloudFormation).
Experience running or coordinating bug bounty programs and working with external researchers.

Responsibilities

Own and execute the full application security testing lifecycle: SAST, DAST, SCA, manual code review, and penetration testing across web, API, and mobile surfaces.
Write exploits. When a finding is disputed or unclear, you prove it — PoC code, not a CVSS score and a policy citation.
Perform deep manual code review across multiple languages and frameworks. You don’t rely solely on scanners; you read the code.
Lead threat modeling sessions for new features and architecture changes. You drive these, not just attend them.
Build and maintain internal security tooling — custom scanners, fuzz harnesses, pipeline integrations, automation scripts — in Python, Go, or similar.
Define and enforce secure coding standards across the SDLC. Champion shift-left security without being a blocker.
Operate and continuously tune SAST/DAST/SCA tooling (Snyk, Semgrep, Burp Suite, or equivalents) integrated into CI/CD pipelines.
Run or coordinate red team exercises and adversarial simulations against Cast & Crew products and infrastructure.
Lead vulnerability triage, root cause analysis, and post-incident security reviews for product security incidents.
Lead, mentor, and develop a team of security engineers and analysts (currently: 2 Application Security Engineers and an Application Security Analyst).
Set technical direction for the team. Your engineers should become better engineers because they work for you.
Conduct regular 1:1s, performance reviews, and career development conversations.
Hire and grow the team as the program scales. You know what good looks like because you’ve been it.
Build a culture of rigor and curiosity — where the team questions assumptions, hunts proactively, and owns outcomes.
Embed with engineering teams. Attend sprint planning, architecture reviews, and design sessions — not just as an observer but as a contributor.
Participate in the Architecture Review Board. Block what needs to be blocked; approve fast what doesn’t.
Build relationships with senior engineers and tech leads based on technical credibility. They should want you in the room.
Translate security risk into engineering language. No FUD, no compliance theater — clear, prioritized, evidence-based guidance.
Partner with the GRC team on SOC 2 and NIST 800-53 compliance for product security domains.
Collaborate with Corporate Security Operations on detection, response, and threat intelligence relevant to the product surface.

Benefits

Cast & Crew provides a comprehensive package of employee benefits including: Medical, Dental, Vision, PTO, health and wellness programs, employee discounts, and more!
Note: Cast & Crew benefits are subject to eligibility requirements.
Cast & Crew is an equal opportunity employer committed to hiring a diverse workforce and sustaining an inclusive culture. It is our policy to provide equal employment opportunities to all individuals based on job-related qualifications and ability to perform a job, without regard to age, gender, gender identity, sexual orientation, race, color, religion, creed, national origin, disability, genetic information, veteran status, citizenship or marital status, and to maintain a non-discriminatory environment free from intimidation, harassment or bias based upon these grounds.
Your personal information may be collected in connection with certain services provided by Cast & Crew or its affiliated companies. A summary of your California privacy rights can be found at: https://www.castandcrew.com/privacy-policy/
Compensation is commensurate with various factors including, but not limited to, relevant experience, qualifications, skills, training, licensure, certifications, geographic cost of labor, and other business and organizational needs.
Compensation range for candidates in other locations may differ based on the cost of labor in that location.
The compensation range for this position is: $150,000.00 - $190,000.00 per year.

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume