Senior Manager, Application Security (Hybrid - Seattle)

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Security, or related field—or equivalent practical experience.
• 8+ years of experience in information security or cybersecurity with a strong focus on application security, secure software development, or offensive security.
• 3-5 years of experience in security management or technical lead roles, with a track record of building and leading high-performing AppSec or product security teams.
• Deep understanding of application security principles, including the OWASP Top 10, secure SDLC methodologies, threat modeling (e.g., STRIDE), API security, and web application attack techniques and defenses.
• Proven experience deploying and scaling AppSec tooling (SAST, DAST, SCA, secrets detection) within CI/CD pipelines in large, distributed engineering organizations.
• Strong knowledge of application security frameworks and maturity models (e.g., OWASP SAMM, BSIMM, NIST SSDF) and how to apply them to build a measurable, risk-based AppSec program.
• Excellent leadership, strategic thinking, and communication skills.
• Demonstrated AI-first mindset with experience adopting AI tools and enabling teams to integrate AI into their work.
• Proven ability to translate complex application security risk into developer-friendly guidance, actionable remediation advice, and business-aligned risk decisions.

Nice To Haves

• Master’s degree in a relevant field.
• Experience securing cloud-native applications and microservices architectures, including container security, serverless functions, and cloud-native API gateways (AWS, Azure, or GCP).
• Familiarity with AI-powered application security tools such as AI-assisted code review, LLM-based vulnerability analysis, or AI-enhanced DAST/fuzzing platforms.
• Relevant industry certifications (e.g., CSSLP, GWEB, GWAPT, OSCP, CISSP, or equivalent offensive/AppSec-focused credentials).
• Hands-on experience with AppSec tools such as Semgrep, Checkmarx, Veracode, Snyk, Burp Suite Pro, or comparable SAST/DAST/SCA platforms.
• Understanding of retail or e-commerce application security challenges, including payment security (PCI-DSS), fraud prevention, account takeover (ATO) defenses, and securing high-volume customer-facing APIs.
• Experience building or scaling a Security Champions program or developer security training initiatives within a large engineering organization.
• Background in software engineering or development — candidates who have written production code and understand the developer experience bring a meaningful advantage to this role.

Responsibilities

• Strategic Leadership & AppSec Program Vision Develop and execute a strategic roadmap for application security across the SDLC, including secure code review, SAST/DAST/SCA tooling, API security, secrets management, and developer security enablement.
• Champion an AI-first approach to application security, identifying opportunities to leverage AI for vulnerability detection, code analysis, threat modeling automation, and developer guidance.
• Drive a shift-left security strategy, embedding security practices early in the development lifecycle and reducing time-to-remediation for application vulnerabilities.
• Create multi-quarter implementation plans for maturing the AppSec program, including bug bounty expansion, penetration testing cadence, and security champions growth, aligned with enterprise security and engineering objectives.
• Identify and prioritize application security investments based on threat intelligence, vulnerability trends, business risk, and the evolving attack surface of Nordstrom’s web, mobile, and API ecosystem.
• Establish meaningful AppSec metrics that demonstrate program maturity and business value, such as mean time to remediate (MTTR), vulnerability density trends, security debt reduction, and developer security training completion.
• Partner with security leadership to translate organizational security strategy into actionable platform implementation plans.
• Program Management & Technical Execution Lead the design, implementation, and lifecycle management of application security tooling including SAST, DAST, SCA, IAST, secrets detection, API security testing, and developer security training platforms.
• Oversee RFP processes and technical evaluations for AppSec tooling, ensuring selected solutions integrate into CI/CD pipelines and developer workflows with minimal friction.
• Own the application penetration testing program, including scoping, vendor management, internal red team coordination, and ensuring findings are tracked to remediation.
• Establish and maintain application security standards, secure coding guidelines, threat modeling practices, and architectural review processes across engineering teams.
• Build and scale a Security Champions program that embeds security awareness and accountability within engineering squads, reducing reliance on centralized security reviews.
• Partner with engineering, DevOps, and platform teams to integrate security gates into CI/CD pipelines, ensuring automated scanning and policy enforcement at every stage of the build and deploy process.
• Lead application security incident response for vulnerabilities and exploits targeting Nordstrom’s applications, driving rapid triage, root cause analysis, and durable remediation in partnership with the SOC and engineering teams.
• Team Leadership & Development Build, lead, and mentor a diverse team of application security engineers spanning offensive security, secure code review, AppSec tooling, and developer enablement functions.
• Establish team structure that balances proactive security engineering (tooling, automation, secure design) with reactive functions (vulnerability management, security reviews, and incident support).
• Create individual development plans that align with team members’ career aspirations and organizational needs.
• Implement performance management frameworks that recognize achievements and address development areas.
• Foster a collaborative culture that encourages knowledge sharing, continuous learning, partnership, and innovation.
• Identify and develop emerging leaders within the team to build succession pipelines.
• Foster a culture of AI adoption by modeling an AI-first mindset, enabling experimentation, and integrating AI tools into team workflows.
• Promote inclusive team practices that value diverse perspectives and approaches.
• Stakeholder Management & Cross-Functional Collaboration Build strategic partnerships with engineering managers, directors, product managers, and platform leads to ensure security is embedded in product decisions and the engineering culture, not bolted on.
• Represent application security needs in cross-functional initiatives, architecture review boards, and steering committees, advocating for secure-by-default standards across Nordstrom’s technology ecosystem.
• Communicate complex security concepts effectively to both technical and non-technical audiences.
• Negotiate and manage dependencies with engineering teams to prioritize vulnerability remediation, ensuring AppSec findings are tracked in product backlogs and addressed within agreed SLAs.
• Collaborate with governance, risk, and compliance teams to ensure application security practices satisfy regulatory requirements (e.g., PCI-DSS, SOX) and align with industry standards such as OWASP SAMM and BSIMM.
• Partner with the SOC and incident response teams to ensure application-layer detections, WAF rules, and threat intelligence are incorporated into AppSec tooling and response playbooks.
• Advocate for application security requirements in enterprise architecture decisions, third-party integrations, and technology standards to ensure secure design is a first-class consideration.

Benefits

• Medical/Vision, Dental
• Retirement and Paid Time Away
• Life Insurance and Disability
• Merchandise Discount and EAP Resources