Application Security Architect

Application Security Architect
AWS Application Security

"• Lead the security architecture for the data center exit, defining secure landing zone patterns, reference architectures, and migration guardrails.
• Perform threat models (STRIDE) for target architectures: web/API tiers, TIBCO integrations, data pipelines, and database migration flows to Exadata on AWS.
• Embed security controls into SDLC: codify policies for SAST/DAST/SCA, container/IaC scanning, and enforce breakglass/approval workflows in CI/CD.
• Design identity and access patterns: leastprivilege IAM roles, finegrained segmentation, secrets rotation, and crossaccount access governance.
• Define network security: VPC design, segmentation, Security Groups/NACLs, PrivateLink, TGW, WAF/Shield policies, and egress controls for EC2/EKS.
• Establish data protection: KMS/HSM key hierarchies, envelope encryption, TDE for Oracle, tokenization/masking where needed, and secure backups/replication.
• Drive cloud security monitoring & IR: CloudTrail/Config/GuardDuty/Security Hub alerting, log centralization (e.g., CloudWatch→SIEM), and playbooks/runbooks.
• Conduct risk assessments and design reviews, align to OWASP Top 10, NIST/ISO control families, and document residual risks & compensating controls.
• Partner with DB, app, and integration teams to secure migration tooling (e.g., replication, cutover paths), validate rollback, and perform pregolive pen tests.
• Coach engineers via secure patterns (sample code/policies/Helm/Kyverno/Gatekeeper), lead readiness reviews, and track remediation to closure.
Cloud Experience Needed
• Proven onprem → AWS migration experience for large application portfolios, including EC2hosted Java/.NET and Oracle 19c → Exadata on AWS transitions.
• Demonstrated design/implementation of AWS Landing Zone/Organizations, SCP guardrails, account baselining, and multiaccount segmentation strategies.
• Practical use of AWS security services: IAM, KMS, Secrets Manager, Certificate Manager, WAF/Shield, GuardDuty, Inspector, Security Hub, Macie, CloudTrail, Config.
• Container security on EKS/ECS: IRSA, Pod Security Standards, network policies, admission controls (OPA/Gatekeeper/Kyverno), and ECR scanning.
• CI/CD security automation: integrating SAST/DAST/SCA, IaC scanners (Terraform/CFN), container scanning, and policyascode into pipelines.
• Network architecture on AWS: VPCs, subnets, route tables, NAT/IGW, PrivateLink, Transit Gateway, interVPC segmentation, and zerotrust patterns.
• Database migration security: encryption in transit/at rest, key rotation, privileged access, audit logging, and secure replication/cutover strategies.
• TIBCO ESB in cloud: TLS/mTLS, credential vaulting, secure connector patterns, API governance, and monitoring/observability for integrations.
• Experience hardening Windows Server (2016–2025) and RHEL (7–9) images (CIS), patch baselines, EDR/antimalware, and golden AMI pipelines.
• Evidence of governance at scale: compliance mapping (OWASP Top 10, NIST/ISO), risk registers, executive reporting, and continuous control monitoring. "
"• Handson AWS application security architecture across EC2, EKS/ECS, VPC, IAM, KMS, Secrets Manager, WAF/Shield, GuardDuty, Inspector, CloudTrail, Config, Security Hub.
• Threat modeling expertise (e.g., STRIDE), dataflow decomposition, and abusecase identification for web, API, ESB, and data migration paths.
• Secure SDLC enablement: integrating SAST/DAST, SCA, container image scanning, IaC scanning (e.g., Terraform/CloudFormation), and secret scanning in CI/CD.
• Strong command of OWASP Top 10, ASVS, dependency risk management, and secure coding standards for Java and .NET services and APIs.
• Container and serverless security: EKS/ECS hardening (IRSA, network policies, admission controls), ECR scanning, Lambda leastprivilege, and event security.
• Identity & access design: IAM roles, SCPs, org guardrails, role segmentation (RBAC/ABAC), federation (SAML/OIDC), and JIT access patterns.
• Database security: Oracle 19c/Exadata encryption (TDE), DB network encryption, key management, privileged access controls, and SQL audit strategies.
• TIBCO ESB security: mTLS, TLS 1.2+, credential/secret handling, payload validation, and API & integration governance.
• OS hardening knowledge for Windows Server 2016/2019/2022/2025 and RHEL 7/8/9 (CIS benchmarks, patching, endpoint controls).
• Clear communicator and coach for dev/DevOps/SRE teams; adept at risk articulation, tradeoff decisions, and executive level reporting."


Role Descriptions: Application Security Architect 1) Required Skills Handson AWS application security architecture across EC2| EKSECS| VPC| IAM| KMS| Secrets Manager| WAFShield| GuardDuty| Inspector| CloudTrail| Config| Security Hub. Threat modeling expertise (e.g.| STRIDE)| dataflow decomposition| and abusecase identification for web| API| ESB| and data migration paths. Secure SDLC enablement integrating SASTDAST| SCA| container image scanning| IaC scanning (e.g.| TerraformCloudFormation)| and secret scanning in CICD. Strong command of OWASP Top 10| ASVS| dependency risk management| and secure coding standards for Java and .NET services and APIs. Container and serverless security EKSECS hardening (IRSA| network policies| admission controls)| ECR scanning| Lambda leastprivilege| and event security. Identity access design IAM roles| SCPs| org guardrails| role segmentation (RBACABAC)| federation (SAMLOIDC)| and JIT access patterns. Database security Oracle 19cExadata encryption (TDE)| DB network encryption| key management| privileged access controls| and SQL audit strategies. TIBCO ESB security mTLS| TLS 1.2| credentialsecret handling| payload validation| and API integration governance. OS hardening knowledge for Windows Server ***222025 and RHEL 789 (CIS benchmarks| patching| endpoint controls). Clear communicator and coach for devDevOpsSRE teams adept at risk articulation| tradeoff decisions| and executivelevel reporting. 2) Responsibilities and Duties Lead the security architecture for the data center exit| defining secure landing zone patterns| reference architectures| and migration guardrails. Perform threat models (STRIDE) for target architectures webAPI tiers| TIBCO integrations| data pipelines| and database migration flows to Exadata on AWS. Embed security controls into SDLC codify policies for SASTDASTSCA| containerIaC scanning| and enforce breakglassapproval workflows in CICD. Design identity and access patterns leastprivilege IAM roles| finegrained segmentation| secrets rotation| and crossaccount access governance. Define network security VPC design| segmentation| Security GroupsNACLs| PrivateLink| TGW| WAFShield policies| and egress controls for EC2EKS. Establish data protection KMSHSM key hierarchies| envelope encryption| TDE for Oracle| tokenizationmasking where needed| and secure backupsreplication. Drive cloud security monitoring IR CloudTrailConfigGuardDutySecurity Hub alerting| log centralization (e.g.| CloudWatchSIEM)| and playbooksrunbooks. Conduct risk assessments and design reviews| align to OWASP Top 10| NISTISO control families| and document residual risks compensating controls. Partner with DB| app| and integration teams to secure migration tooling (e.g.| replication| cutover paths)| validate rollback| and perform pregolive pen tests. Coach engineers via secure patterns (sample codepoliciesHelmKyvernoGatekeeper)| lead readiness reviews| an
Essential Skills: Application Security Architect 1) Required Skills Handson AWS application security architecture across EC2| EKSECS| VPC| IAM| KMS| Secrets Manager| WAFShield| GuardDuty| Inspector| CloudTrail| Config| Security Hub. Threat modeling expertise (e.g.| STRIDE)| dataflow decomposition| and abusecase identification for web| API| ESB| and data migration paths. Secure SDLC enablement integrating SASTDAST| SCA| container image scanning| IaC scanning (e.g.| TerraformCloudFormation)| and secret scanning in CICD. Strong command of OWASP Top 10| ASVS| dependency risk management| and secure coding standards for Java and .NET services and APIs. Container and serverless security EKSECS hardening (IRSA| network policies| admission controls)| ECR scanning| Lambda leastprivilege| and event security. Identity access design IAM roles| SCPs| org guardrails| role segmentation (RBACABAC)| federation (SAMLOIDC)| and JIT access patterns. Database security Oracle 19cExadata encryption (TDE)| DB network encryption| key management| privileged access controls.