Senior Application Security Architect

About The Position

Requirements

• 12+ years in software engineering; 8+ years in a dedicated Application Security / Secure SDLC role.
• 8+ years of production C# / .NET - expert in modern .NET (6/7/8+), ASP.NET Core, EF Core, secure deserialization, authorization policies, Data Protection, and NuGet supply- chain hygiene.
• Working architect-level proficiency in Python, Node.js / TypeScript, and Angular - able to define standards, review code, and threat-model these stacks.
• Expert in Git internals, branching strategies, merge semantics, signed commits, and large-scale repo governance on GitHub Enterprise / Azure DevOps / GitLab.
• Proven track record standing up or significantly maturing a Secure SDLC at enterprise scale, security-as-code, metric-driven AppSec.
• Deep knowledge of OWASP Top 10, API Top 10, ASVS L2/L3, CWE Top 25, MITRE ATT&CK, applied cryptography, and identity protocols (OAuth 2.1, OIDC, SAML, FIDO2).
• Excellent written communication - authors standards, ADRs and executive briefings; calm, structured incident leadership.
• Third-party/vendor risk assessments, ensuring alignment with internal security policies and risk tolerance.

Nice To Haves

• Public CVEs, OSS security tooling, or conference talks (BlackHat, DEF CON, OWASP, NDC, .NET Conf).
• Experience building paved-road platforms / internal developer platforms (Backstage).
• AI / LLM application security (OWASP LLM Top 10, prompt injection, model supply chain).
• Fuzzing experience (SharpFuzz, libFuzzer) and prior PSIRT leadership.

Responsibilities

• Partner with product owners, engineering teams, and solution architects to architect, formalize, and implement a Secure SDLC framework. This framework should be based on NIST SSDF, OWASP SAMM, BSIMM, and Microsoft SDL standards, incorporating mandatory security checkpoints throughout the planning, development, testing, deployment, and operational phases to guarantee that security protocols are integrated from the project’s inception.
• Lead the architectural review process by overseeing ADRs, evaluating system architectures, and directing threat modeling sessions with methodologies such as attack trees, PASTA, and STRIDE.
• Act as the authoritative figure for security architecture, with the mandate to approve or deny designs based on established security benchmarks while championing a secure-by-design philosophy.
• Establish and uphold robust benchmarks for data handling and logging, alongside standards for cryptography, secure coding, and authentication/authorization frameworks such as FIDO2, mTLS, SAML, OIDC, and OAuth 2.1
• Manage comprehensive .NET application security: provide end-to-end oversight for C#, .NET 6/7/8+, ASP.NET Core (MVC, Web API, Minimal APIs), Blazor, gRPC, and EF Core. This includes securing the supply chain, hardening legacy .NET Framework environments, and implementing identity solutions
• Deliver architectural guidance for modern stacks: provide secure-coding expertise for Node.js, TypeScript (Express, NestJS, Next.js), and Angular, defining approved libraries and language-specific security patterns.
• Oversee development governance and reviews: manage Git branching strategies and repository protections across GitHub, Azure DevOps, and GitLab. Lead a tiered peer-review program for high-risk changes, conducting final reviews on critical paths.
• Architect and manage the AppSec toolchain: operate security automation including SAST, DAST, SCA, and secrets scanning. Define build-break policies, manage SBOM/SLSA compliance, and consolidate results via ASPM platforms.
• Lead vulnerability and incident response: own application-layer risk management, prioritizing issues via CVSS/EPSS and coordinating responses to supply-chain threats or zero-day events.
• Team leadership and mentorship: supervise AppSec engineers and Security Champions, fostering a security culture through paired coding, internal CTFs, and the development of reference architectures and playbooks.

Benefits

• Company sponsored Health, Dental, and Vision insurance
• 401K, traditional, and Roth with a company match
• Tuition Assistance or Tuition Reimbursement
• Unlimited Paid Time off
• Monthly Gym Reimbursement
• Paid time off to volunteer
• Paid Family Leave
• Complimentary lunches onsite
• Opportunity to grow
• Opportunity to work with a great team committed to making a difference.