Overview:
This role will be an integral component of the application security program end-to-end — from discovery and inventory of business unit applications, through tooling implementation, through embedding security and AI-assisted controls into business unit DevOps pipelines. This is as much a relationship and influence role as it is a technical role; success requires partnering effectively with subsidiaries. This is a hybrid on-site position, with a requirement to be in office three times per week.
What You’ll Do
• Application discovery and inventory across all business units, including ownership mapping, technology stack profiling, and risk tiering.
• Standing up and operating the AppSec tooling stack — SAST, SCA, secrets scanning, and container/IaC scanning — integrated into business unit CI/CD pipelines.
• Designing and implementing AI-assisted triage workflows on top of AppSec tooling so that finding volume does not overwhelm developers and false positives are filtered before reaching engineering teams.
• Defining secure SDLC requirements, threat modeling practices, and security gates that business units adopt as part of their standard development process.
• Partnering with business unit development leaders to build the relationships and shared playbooks needed to operationalize AppSec without becoming a blocker to delivery.
• Contributing to AI security strategy — evaluating emerging tools (AI code review assistants, agentic security testing, automated security requirement generation) and recommending what to operationalize and what to defer.
• Producing executive-ready metrics and reporting that connect AppSec activity to business risk reduction.
Required Qualifications
• 7+ years in application security, product security, or security engineering, with at least 3 years in environments with multiple independent business units, brands, or product lines.
• Hands-on experience deploying and operating modern AppSec tooling (e.g., Semgrep, Snyk, Checkmarx, Veracode, Apiiro, Ox Security, GitHub Advanced Security).
• Working code-level proficiency in at least three commonly-used languages (e.g., Python, JavaScript/TypeScript, Java, C#, Go) sufficient to read, review, and triage findings.
• Strong scripting and automation skills in Python or equivalent; comfortable building integrations against REST APIs and operating in CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).
• Demonstrated ability to influence engineering organizations without direct authority — negotiating standards, driving adoption, and partnering with development leaders.
• Practical understanding of OWASP Top 10, threat modeling methodologies (STRIDE, PASTA, or equivalent), and modern attack patterns including supply chain risks.
Preferred Qualifications
• Experience integrating LLM-based tooling into security workflows (alert triage, finding summarization, remediation guidance generation).
• Familiarity with one or more compliance frameworks relevant to our environment (HITRUST, HIPAA, NIST AI RMF, SOC 2).
• Prior experience working in a regulated or healthcare-adjacent environment.
• Cloud security depth in at least one major provider (AWS, Azure, Google Cloud Platform).
• Public contribution to AppSec community — OSS, conference talks, published research, or detection/rule contributions.
Never miss an opportunity! Create an alert based on the job you applied for.