Senior /Principal SecOps & AppSec Engineer
Own application security posture and remediation strategy end-to-end, from code through production. Lead security scanning, validate and fix real vulnerabilities, drive dependency and configuration remediation, embed security into CI/CD, and mentor a lean SecOps/AppSec function.
Department: Engineering
Reports To: Director Engineering
Team Size: 1–2 Direct Reports
Scope: Application Security + SecOps + DevSecOps
Role Overview
The Senior SecOps & AppSec Lead will own both the organization’s application security posture and its remediation strategy across the software delivery lifecycle. This role is hands-on and execution-focused: the expectation is not only to identify vulnerabilities through tooling and assessment, but to validate exploitability, prioritize risk in business context, and actively drive or implement remediation in code, pipelines, dependencies, containers, and runtime environments.
The role combines application security engineering, secure SDLC ownership, and SecOps leadership. The ideal candidate can work closely with developers, review and remediate security issues in application code, improve the signal quality of security findings, and ensure security controls are embedded into CI/CD without slowing delivery. The person should also be comfortable leading a small team, managing security backlog and SLAs, and translating technical risks into actionable engineering priorities.
Key Responsibilities
Application Security Ownership
- Own the end-to-end application security posture across web applications, APIs, services, open-source dependencies, containers, and deployment environments.
- Drive secure development practices across the SDLC, including threat modeling, secure design reviews, code review guidance, and developer remediation support.
- Perform and oversee application security assessments covering OWASP Top 10 risks, API security issues, authentication and session management flaws, insecure access control, injection risks, data exposure, SSRF, deserialization, and business logic vulnerabilities.
- Partner with engineering teams early in the lifecycle to improve architecture and design decisions from a security standpoint.
Vulnerability Management & Remediation Strategy
- Own vulnerability triage, validation, prioritization, and remediation planning across SAST, DAST, SCA, container scanning, cloud findings, and manual testing outputs.
- Assess real-world exploitability in the context of the product and environment, reducing false positives and focusing teams on material risks rather than scanner noise.
- Define and run the remediation strategy for application and dependency risks, including code fixes, compensating controls, library upgrades, configuration hardening, and risk acceptance workflows where appropriate.
- Work hands-on with development teams to remediate vulnerabilities in code and frameworks and help resolve recurring security anti-patterns at root cause.
- Manage remediation backlog, risk-based SLAs, exception handling, and reporting of open issues to engineering leadership.
Security Tooling & CI/CD Integration
- Own and evolve the security scanning pipeline, including SAST, DAST, SCA, secrets detection, container image scanning, and security checks in pull request and release workflows.
- Configure and tune tools such as Veracode, SonarQube, Checkmarx, Fortify, Trivy, OWASP Dependency-Check, or equivalent platforms to improve coverage and reduce false positives.
- Integrate security gates into Jenkins, GitLab CI, GitHub Actions, or similar CI/CD systems, ensuring effective controls without creating delivery bottlenecks.
- Define severity thresholds, policy gates, and escalation paths for vulnerable builds, packages, images, and releases.
SecOps & Platform Security
- Support security operations across application and engineering environments, including WAF policy tuning, secrets hygiene, access reviews, secure configuration validation, and security monitoring inputs relevant to engineering-owned assets.
- Collaborate on Kubernetes and container security controls, including image hygiene, least-privilege configurations, secrets handling, pod security standards, RBAC, and deployment guardrails.
- Contribute to AWS and cloud security posture improvements by validating findings, identifying actionable remediation, and partnering with infrastructure teams on closure.
Compliance & Governance
- Support compliance and customer assurance initiatives such as SOC 2, ISO 27001, and client security reviews by maintaining evidence, remediation records, and security process documentation.
- Maintain threat models, secure coding standards, remediation playbooks, and vulnerability management procedures.
- Produce clear reporting on scan coverage, vulnerability trends, remediation progress, and overall risk posture for engineering leadership.
Required Qualifications
- 6–10 years of hands-on experience in Application Security, SecOps, or DevSecOps roles for enterprise software products.
- Strong experience with application security testing, including SAST, DAST, manual web/API testing, and vulnerability triage.
- Proven ability to reproduce, validate, prioritize, and remediate application security vulnerabilities rather than only reporting them.
- Hands-on experience managing or integrating security tools such as Veracode, SonarQube, Checkmarx, Fortify, Trivy, OWASP Dependency-Check, Burp Suite, or equivalent.
- Hands-on programming experience in at least one of Java or Python, with the ability to review code, understand exploit paths, and implement or guide remediation in application codebases.
- Strong experience with open-source dependency risk management, including identifying vulnerable libraries, assessing exploitability, and driving upgrades or mitigations.
- Experience embedding security checks into CI/CD pipelines using Jenkins, GitLab CI, GitHub Actions, or similar tooling.
- Good understanding of container and Kubernetes security fundamentals, including image scanning, secrets management, RBAC, and deployment security controls.
- Experience supporting cloud security remediation in AWS or similar environments.
- Strong communication skills with the ability to work closely with developers, platform teams, auditors, and engineering leadership.
Preferred Qualifications
- Experience in fintech, financial services, or other regulated product environments with sensitive data handling requirements.
- Experience with WAF policy tuning, API security testing, and threat modeling.
- Familiarity with SOC 2 and ISO 27001 control implementation and evidence management.
- Exposure to identity and access systems such as Okta, Entra ID, AWS Identity Center, or similar enterprise platforms.
- Certifications such as CEH, OSCP, CISSP, AWS Security Specialty, or Kubernetes security certifications.