Lead Application Security
Job Description
· Lead the application security program across all software products, ensuring the adoption of secure development practices, vulnerability management, and secure coding standards.
· Perform advanced security assessments, penetration testing, threat modeling, and code reviews for web applications, mobile apps, and cloud-native services.
· Lead and mentor a team of security engineers, providing guidance on secure coding practices, vulnerability remediation, and security best practices.
· Build and manage security testing tools, processes, and frameworks, including automated security testing within the CI/CD pipeline.
· Collaborate with cross-functional teams (e.g., development, operations, and IT) to implement security requirements throughout the SDLC.
· Drive the integration of security into Agile and DevOps workflows, ensuring continuous security testing and compliance.
· Conduct risk assessments and provide actionable security recommendations to mitigate potential threats across all stages of the software development lifecycle.
· Ensure that security issues are identified, tracked, and remediated within project timelines and defined risk thresholds.
· Manage relationships with key stakeholders and provide technical security leadership across the organization.
· Lead the design, development, and implementation of security policies, standards, and frameworks, ensuring alignment with industry best practices (OWASP, NIST, ISO, etc.).
· Provide expertise in the secure design and architecture of web and mobile applications, APIs, microservices, and cloud infrastructure.
· Stay updated with the latest security trends, tools, technologies, and vulnerabilities to continuously improve the application security program.
· Lead incident response for security events related to application vulnerabilities, providing analysis, remediation strategies, and post-incident reporting.
Required Skills & Experience:
· 6-12 years of experience in application security, penetration testing, or related security fields.
· Proven expertise in securing web and mobile applications (OWASP Top 10, OWASP Mobile, etc.), APIs, and microservices architectures.
· In-depth experience with security testing methodologies (SAST, DAST, IAST, and penetration testing).
· Strong expertise in identifying and mitigating security risks in the SDLC, and integrating security into Agile/DevOps workflows.
· Solid understanding of common programming languages (e.g., Java, Python, .NET, JavaScript, C++, etc.) and secure coding practices.
· Experience with threat modeling, risk assessments, and vulnerability management processes.
· Expertise in cloud security, including cloud platforms like AWS, Azure, and GCP.
· Extensive experience with security tools such as Burp Suite, ZAP, Fortify, Checkmarx, SonarQube, and related tools.
· Strong knowledge of web protocols (HTTP, HTTPS, REST, SOAP) and application security features (authentication, authorization, encryption).
· Familiarity with industry frameworks and standards (e.g., NIST, ISO 27001, SOC2, PCI DSS, GDPR).
· Experience in mentoring and leading security teams, driving security initiatives across engineering departments.
· Proficiency with secure coding practices and application security tools in continuous integration/continuous deployment (CI/CD) pipelines.
· Strong communication skills with the ability to collaborate with both technical and non-technical stakeholders to drive security solutions.
· Ability to influence and advocate for security initiatives in a complex organizational structure.
Preferred Skills:
· Industry certifications such as CISSP, CISM, OSCP, CEH, or equivalent.
· Experience with containerization and orchestration tools like Docker and Kubernetes.
· Experience in automating security testing and integrating it into CI/CD workflows.
· Knowledge of advanced threat intelligence, advanced persistent threats (APTs), and secure software design patterns.
· Experience with application security at scale, especially in microservices and serverless architectures.