Senior Security Engineer

About The Position

Requirements

• Bachelor's degree in Computer Science, Information Security, Software Engineering, or related field (Master's preferred)
• 7+ years of experience in security engineering, application security, application development, or DevSecOps roles
• Hands-on experience deploying and operating SAST, DAST, and SCA tooling in enterprise CI/CD environments
• Demonstrated experience building and managing SBOM programs at scale
• Deep expertise in secrets management platforms (AWS Secrets Manager, or equivalent)
• Strong cloud security experience across AWS, Azure, including IAM, network security, and CSPM tooling
• Experience defining and enforcing branch protection, code signing, and repository security controls
• Proficiency in one or more scripting/programming languages (Python, Go, Bash, or equivalent) for automation and tooling
• Working knowledge of SSDLC frameworks, threat modeling methodologies (STRIDE), and security requirements engineering
• Familiarity with security frameworks and standards: NIST CSF, NIST 800-53, CIS Benchmarks, OWASP Top 10, SANS 25

Nice To Haves

• Experience with Policy-as-code tooling (OPA/Rego, Sentinel, Checkov, Terrascan)
• Experience with Container and Kubernetes security (image scanning, admission controllers, runtime security with Falco or equivalent)
• Experience with Security champion program design and developer enablement
• Experience with Enterprise vulnerability management and risk-based prioritization programs
• Certifications (any of the following valued): CISSP, CSSLP, GWEB, GWAPT, AWS Security Specialty, Microsoft Security Engineer Associate, CCSP

Responsibilities

• Own the selection, deployment, tuning, and continuous operation of application security testing tools
• Implement and manage Static Application Security Testing (SAST) tools integrated into CI/CD pipelines (e.g., Checkmarx, Synk, Semgrep, SonarQube, Veracode)
• Deploy and operate Dynamic Application Security Testing (DAST) solutions for runtime vulnerability detection (e.g., OWASP ZAP, Burp Suite Enterprise, Checkmarx)
• Integrate Software Composition Analysis (SCA) to identify vulnerabilities in open-source dependencies (e.g., Snyk, Black Duck, Dependabot)
• Establish triage workflows, severity thresholds, and developer-facing remediation guidance
• Track vulnerability metrics and report on risk reduction trends to security leadership
• Build and govern the enterprise SBOM program
• Define SBOM generation standards across all software
• Integrate SBOM generation into build pipelines as a gating control
• Maintain SBOM inventory and correlate with known vulnerability feeds (NVD, OSV, CVE)
• Support regulatory and customer-facing SBOM disclosure requirements
• Advise engineering teams on dependency hygiene and license compliance
• Embed security natively into CI/CD pipelines and developer workflows
• Design and enforce pipeline security gates — no build ships without passing defined security checks
• Implement pre-commit hooks, PR scanning, and automated security feedback loops
• Define and enforce secure pipeline configurations across GitHub Actions, Azure DevOps, Jenkins, or equivalent
• Govern pipeline access controls, service account permissions, and artifact signing
• Partner with platform engineering to harden build infrastructure and runner environments
• Operate enterprise secrets management
• Leverage and manage secrets management solutions (Delina, CyberArk, AWS Secrets Manager, Azure Key Vault)
• Eliminate hardcoded credentials across codebases — implement detection and remediation pipelines
• Define secrets rotation policies, access controls, and audit logging standards
• Integrate secrets injection into CI/CD pipelines and application runtimes
• Conduct periodic secrets sprawl audits and enforce zero standing secrets in code repositories
• Establish and enforce secure source control practices
• Define branch protection standards for master/main and sub-branches (required reviewers, status checks, signed commits)
• Govern repository access policies, least-privilege permissions, and PAT/token lifecycle
• Implement code scanning and secret detection on all branches, not just main
• Enforce code signing and supply chain integrity controls for release pipelines
• Audit and report on code repository posture across all engineering teams
• Own cloud security architecture and posture management
• Deploy and operate Cloud Security Posture Management (CSPM) tooling (e.g., Wiz, Prisma Cloud, AWS Security Hub, Defender for Cloud)
• Define and enforce cloud security baselines across AWS, Azure, and/or GCP environments
• Enable IAM policies, network segmentation, resource tagging, and encryption standards
• Monitor for misconfigurations, excessive permissions, and drift from approved baselines
• Integrate cloud security findings into enterprise risk and vulnerability management programs
• Define and enforce security baselines across the enterprise
• Author and maintain security configuration baselines aligned to CIS Benchmarks and internal policy
• Implement automated baseline compliance validation across cloud, OS, container, and application layers
• Translate security policy into enforceable technical controls — policy as code where applicable
• Partner with compliance and risk teams to align technical baselines to regulatory requirements (SOC 2, ISO 27001)
• Champion security throughout the entire development lifecycle
• Define and operationalize SSDLC practices across all engineering teams — from design through deployment
• Conduct threat modeling workshops with product and engineering teams for new systems and features
• Develop security requirements, security user stories, and abuse cases for inclusion in sprint planning
• Establish security review gates at key SDLC milestones (architecture review, pre-release, post-incident)
• Work across teams to make security a shared responsibility
• Serve as the primary security engineering liaison to application development, platform engineering, and DevOps teams
• Partner with the Security Operations Center (SOC) to connect pipeline telemetry with detection and response workflows
• Collaborate with GRC and risk teams to translate findings into risk-language for executive reporting
• Engage with third-party vendors and open-source communities to stay current on tooling and threat intelligence

Benefits

• We are an Equal Opportunity, Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to gender, minority status, sexual orientation, gender identity, protected veteran status, status as a qualified individual with a disability or any characteristic protected by law.
• willing to take a drug test
• submit to a background investigation as part of the selection process, as well as additional periodic background checks as required by the Chemical Facility Anti-Terrorism Standards (CFATS) or regulations adopted by the Department of Homeland Security or other regulatory agencies
• Candidates are required to have unrestricted authorization to work in the United States.