Sr. Principal Security Engineer, Application Security & Automation

About The Position

Requirements

• Bachelor's Degree in Computer Science, Information Security, Software Engineering, or related fields.
• At least 2 years of dedicated application security experience
• At least 2 years of software development experience with individual contributions to production systems
• At least a total of 5 years of combined experience across both rigors.
• Proven production coding experience in at least one of: Python, TypeScript/JavaScript, Java, Go, or C# — not solely in an advisory, review, or scripting capacity.
• Experience building or integrating security automation within a GitHub environment, including GitHub Actions.
• Familiarity with threat modeling in a professional setting
• Hands-on experience with large language models (LLMs) in a professional or project context, such as prompt engineering, API integration, or workflow automation.
• Hands-on software development experience in at least one modern language (Python, TypeScript/JavaScript, Java, Go, or C#) with a track record of shipping working code- not just reviewing others'.
• Strong expertise in application security fundamentals—OWASP Top 10, CWE, secure coding practices, threat modeling, and vulnerability assessment.
• Experience operating or deeply integrating with SAST, DAST, SCA, and secret scanning tools.
• Working knowledge of cloud environments (AWS preferred; Azure or GCP welcome) and containerized workloads (ECS, EKS, Docker).
• Familiarity with IaC scanning and the IaC ecosystem (Terraform, CloudFormation, Kubernetes manifests)
• Strong communication skills; ability to translate security requirements into actionable engineering guidance and to represent AppSec in conversations with engineering partners.
• Commitment to staying ahead of with emerging AppSec threats, tooling, and AI/LLM capabilities.

Nice To Haves

• Genuine enthusiasm for and hands-on experience with LLMs, prompt engineering, agentic workflows, or LLM-powered tooling—bonus points for things you have actually built and shipped.
• Familiarity with secrets management platforms and patterns and with software supply chain / artifact management.

Responsibilities

• Evolve one or more AppSec platforms within the Secure SDLC program.
• Design and build automation within Security Architecture and Engineering.
• Apply LLMs, agentic frameworks, MCP servers, and tool-calling patterns.
• Partner with development teams on secure coding practices, threat modeling, and remediation of findings from SAST, DAST, SCA, and secret scanning tools.
• Contribute to Lilly's Secure SDLC standards and vulnerability management policy, translating policy into enforceable pipeline and platform controls.
• Support the secrets management rollout and migration of applications off legacy secret stores, including code-level guidance for SDK-based and injected consumption patterns.
• Produce developer-facing content, reference architectures, secure patterns, short-form instructional content and reusable code samples.
• Harden Lilly's CI/CD environment against software supply chain attacks— pinned actions, OIDC-based cloud auth, runner isolation, workflow permissions, and protection of build-time secrets and artifacts.
• Partner with the Cloud Security team on Infrastructure-as-Code (IaC) security — extending secure-by-default patterns and developer guardrails from application code into the infrastructure that runs it.

Benefits

• company bonus (depending, in part, on company and individual performance)
• company-sponsored 401(k)
• pension
• vacation benefits
• medical, dental, vision and prescription drug benefits
• flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts)
• life insurance and death benefits
• certain time off and leave of absence benefits
• well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities)