Application Security Engineer/Lead (DevSecOps/CI/CD Security)

We are partnering with a leading technology-driven organization to hire an experienced Application Security Engineer / Lead. This role focuses on embedding security throughout the software development lifecycle (SDLC) and reducing application risk across cloud-native and containerized environments.

You will collaborate closely with engineering, DevOps, and product teams to implement scalable DevSecOps practices, integrate automated security controls into CI/CD pipelines, and promote secure-by-design principles, ensuring a strong security posture without impacting delivery speed.

Key Responsibilities

• Integrate security practices across all phases of the SDLC, from planning to deployment, in collaboration with cross-functional teams
  
• Design, implement, and manage application security testing programs, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), Interactive Application Security Testing (IAST), Runtime Application Self-Protection (RASP)

• Embed automated security checks and quality gates within CI/CD pipelines to ensure consistent and scalable controls
  
• Perform API security assessments, including validation of authentication, authorization, input handling, and abuse scenarios
  
• Conduct or coordinate penetration testing for web applications and APIs, and validate remediation efforts
  
• Lead threat modeling sessions and secure design reviews for modern architectures (e.g., microservices, serverless, containerized applications)
  
• Establish and manage vulnerability triage and remediation processes, including prioritization and tracking to resolution
  
• Define and promote secure coding standards; provide hands-on support through code reviews and guidance
  
• Support application-layer security across cloud environments, including identity management, secrets handling, and network exposure
  
• Implement best practices for secrets management, configuration security, and least-privilege access
  
• Develop dashboards and reporting metrics to track security coverage, remediation timelines, and overall risk trends
  
• Evaluate and onboard application security tools, optimizing for performance and developer usability
  
• Deliver training sessions and knowledge-sharing initiatives to improve developer security awareness
  
• Participate in incident response related to application vulnerabilities, including root cause analysis and preventive improvements
  

Core Technical Requirements

• Strong hands-on experience with:
  
• SAST (tooling, tuning, and remediation support)
  
• DAST (scan configuration, authenticated testing, and validation)
  
• SCA (open-source risk management and dependency analysis)
  
• Familiarity with IAST and/or runtime security testing approaches
  
• Understanding of RASP or runtime protection mechanisms in production environments
  
• Proven experience in API security testing, including common risks and mitigation techniques
  
• Solid background in penetration testing for web applications and APIs
  
• Deep understanding of common application vulnerabilities (e.g., OWASP Top 10) and secure coding practices
  

DevSecOps & Tooling

• Experience working in DevOps environments with CI/CD pipelines and automated deployments
  
• Proven ability to integrate security controls into development workflows without disrupting delivery
  
• Hands-on experience with CI/CD platforms (e.g., pipeline configuration, build/release processes, artifact management)
  
• Familiarity with Infrastructure-as-Code (IaC), pipeline templating, and policy-as-code practices
  

Cloud & Engineering Background

• Experience with at least one major cloud platform (e.g., Azure, AWS, or GCP), including security fundamentals
  
• Software development background with the ability to review and understand code (e.g., C#, Java, JavaScript/TypeScript, Python, Go)
  
• Familiarity with modern application architectures such as microservices, containers, and serverless environments
  

Professional Skills

• Ability to communicate technical risks effectively to both technical and non-technical stakeholders
  
• Strong collaboration and stakeholder management skills
  
• Capability to influence teams and drive security adoption in a fast-paced environment
  
• Experience defining standards, processes, and measurable security outcomes (e.g., KPIs, SLAs)
  

Nice-to-Have Skills

• Experience with common application security tools across SAST, DAST, and SCA categories
  
• Familiarity with web application firewalls (WAF), API gateways, or service mesh security
  
• Relevant security or cloud certifications