Principal Application Security Engineer

About The Position

Requirements

• Education: Bachelor's Degree (accredited) in Computer Science, MIS, Business Administration or similar area of study or in lieu of degree, High School Diploma or GED (accredited) and four years of relevant work experience.
• Experience: Seven years of prior work experience (in addition to education requirement).
• One or more of the following is required: Certified Information Systems Security Professional (CISSP). Certified Information Systems Auditor (CISA). Certified Information Security Manager (CISM).
• Technically advanced or in-depth knowledge or skills in one or more of the following is required:
• Deep understanding of application security principles and secure coding practices
• Ability to design and implement security controls in CI/CD pipelines
• Strong analytical and problem-solving skills with attention to detail
• Excellent communication and collaboration skills to work with cross-functional teams
• Ability to produce clear and actionable security reports and dashboards for stakeholders
• Ability to create and deliver presentations targeted to either end users or senior management
• Experience in the areas of change control, problem management, incident management troubleshooting security solutions
• Ability to handle successfully multiple projects at one time

Nice To Haves

• Fortune 500 experience.
• Experience in several or more of the following application security technologies: SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), IAST (Interactive Application Security Testing), SCA (Software Composition Analysis / open-source dependency scanning), API security (API discovery, auth testing, schema validation, runtime protection), RASP (Runtime Application Self-Protection), Pen-test automation / BAS for apps (continuous validation of controls) and SBOM (software bill of materials) & supply chain security provenance/attestation

Responsibilities

• Lead the design and implementation of application security architecture and engineering across enterprise applications, partnering with software development, infrastructure, and platform teams to secure cloud-native and on-prem environments.
• Embed security controls and best practices into CI/CD pipelines and DevSecOps workflows, driving adoption of secure coding standards and threat modeling across engineering teams.
• Evaluate, implement, and operate application security tooling (e.g., SAST, DAST, IAST, container security and related capabilities), ensuring solutions are effective, scalable, and well-integrated.
• Define, develop, and maintain application security metrics, reporting, and dashboards to provide visibility to leadership and key stakeholders.
• Engage and collaborate with third-party vendors to assess and validate the security capabilities of applications and services.
• Provide guidance and mentorship on application security standards, risk management, and compliance requirements to elevate security maturity across teams.
• Participate in occasional off-hours support as needed to support troubleshooting or emerging threats.
• Provides day-to-day management for the Information Protection function, responsible for security technologies utilized to protect WM's data and networks.
• Participates in WM's Information Security Office leadership team to drive innovative security solutions, and collaboration with other IT and global functions.
• Responsible for managing the work environment, identifying workforce needs and ensuring performance against expectations, values and vision.
• Manages security audit and intrusion detection system logs for system and network anomalies and provides highest level analysis.
• Responds to unique, highly complicated, suspicious or malicious events detected through collection or reported by Help Desk or users.
• Provides technically advanced remediation and application event support to IT operations and engineering teams
• Performs initial computer system forensic investigations and supports fraud investigations.
• Provides top level analysis, design and support for log collection of firewalls, routers, networks and operating systems.
• Communicates technical and event assessment results, evaluates engineering and integration initiatives and provides technical expertise to assess security policies, standards and guidelines.
• Develops, collects and analyzes logs from firewalls, intrusion detection systems, enterprise anti-virus systems and software deployment tools.
• Reviews and recommends the installation, modification or replacement of hardware or software components
• Identifies and addresses any configuration change(s) that impact event collection.

Benefits

• Medical
• Dental
• Vision
• Life Insurance
• Short Term Disability
• Stock Purchase Plan
• Company match on 401K
• Paid Vacation
• Holidays
• Personal Days