Department Engineering
Reports To Director Engineering
Team Size 1–2 Direct Reports
Scope - AppSec + DevSecOps
We are looking for a Sr. SecOps & AppSec Lead to own and drive security operations across the entire product lifecycle — from code commit through build, deployment, and production. You will manage our security scanning pipeline (Veracode, SonarQube, Trivy), identify and remediate vulnerabilities in application code and open-source dependencies, upgrade libraries to eliminate known CVEs, and work hands-on to fix application security issues alongside development teams.
This role blends application security engineering with DevOps pipeline management. You will not just report vulnerabilities — you will reproduce them, assess their real-world exploitability in our context, and either fix them yourself or guide developers through remediation. You will also own CI/CD pipeline health, ensuring security gates are embedded into every build without becoming a bottleneck. Additionally, you will lead 1–2 junior engineers, building a small but effective security operations practice.
- Own and manage the end-to-end security scanning pipeline: SAST (Veracode, SonarQube), SCA (Veracode SCA / Snyk / OWASP Dependency-Check), and container image scanning (Trivy)
- Configure, tune, and maintain scanning policies — reduce false positives, set severity thresholds, and define quality gates that block vulnerable builds from promotion
- Integrate security scans seamlessly into CI/CD pipelines (Git runner/GitLab CI) so that every pull request and release build is automatically validated without slowing developer velocity
- Maintain dashboards and reporting on vulnerability trends, scan coverage, mean-time-to-remediate (MTTR), and open risk posture across the product portfolio
- Evaluate and onboard new security tools as the threat landscape and technology stack evolve
- Triage vulnerability findings from SAST/SCA/container scans — assess real-world exploitability in the context of the our platform, not just CVSS scores
- Reproduce open-source and third-party library vulnerabilities in controlled environments to validate their impact and determine whether the vulnerable code path is actually reachable in our product
- Hands-on fix application security issues: SQL injection, XSS, CSRF, insecure deserialization, broken authentication, SSRF, path traversal, and other OWASP Top 10 vulnerabilities in the application codebase
- Plan and execute library upgrades to remediate known CVEs in open-source dependencies — assess compatibility impact, coordinate with development teams, and validate that upgrades do not introduce regressions
- Manage a vulnerability backlog with clear prioritization (critical/high exploitable vs. low-risk theoretical), SLA tracking, and regular reporting to engineering leadership
- Conduct security code reviews for high-risk features: authentication/authorization flows, API security, data encryption, secrets management, and inter-module communication (API/MQ)
- Define and enforce secure coding standards and guidelines for the development teams, covering input validation, output encoding, parameterized queries, secure session management, and cryptographic practices
- Perform or coordinate DAST (Dynamic Application Security Testing) and periodic penetration testing, managing findings through to closure
- Review and harden Kubernetes deployment configurations: pod security policies/standards, network policies, RBAC, secrets management (Vault/Sealed Secrets), and container runtime security
- Ensure secure handling of sensitive financial data in transit and at rest, aligned with client security requirements and regulatory expectations
- Co-own CI/CD pipeline infrastructure (Git runner/GitLab CI): build pipeline optimization, artifact management, deployment automation, and environment provisioning
- Implement and maintain infrastructure-as-code for security tooling (Terraform/Helm charts for scanning infrastructure, policy-as-code for compliance checks)
- Manage Docker image lifecycle: base image hardening, image scanning in registries, tag governance, and ensuring minimal-footprint production images
- Automate security compliance checks: license scanning for open-source dependencies, secrets detection in code repositories (GitLeaks/TruffleHog), and configuration drift detection
- Support deployment pipelines for Kubernetes environments: Helm chart security, admission controllers, and runtime protection integration
- Support compliance efforts (SOC 2, ISO 27001, or client-specific security assessments) by providing evidence of security controls, scan reports, and remediation records
- Coordinate with external penetration testing firms: scope definition, environment preparation, finding triage, and remediation tracking
- Maintain security documentation: threat models, security architecture diagrams, incident response runbooks, and vulnerability management procedures
- Produce regular security posture reports for engineering leadership and client-facing teams, translating technical findings into business risk language
- Lead, mentor, and develop 1–2 junior SecOps/AppSec engineers, establishing workflows, review processes, and growth paths
- Drive a security-aware culture across engineering: conduct threat modeling workshops, secure coding training sessions, and brown-bag presentations on real-world vulnerabilities
- Create and maintain internal security knowledge base: remediation playbooks, common vulnerability patterns in the codebase, and library upgrade guides
- 5–8 years of hands-on experience in application security, SecOps, or DevSecOps for enterprise software products
- Strong experience with SAST tools (Veracode and/or SonarQube): policy configuration, scan management, false positive tuning, and developer-facing remediation guidance
- Hands-on experience with SCA (Software Composition Analysis): identifying vulnerable open-source libraries, assessing exploitability, planning and executing library upgrades across large codebases
- Experience with container security scanning (Trivy, Aqua, or Prisma Cloud) and Docker image hardening best practices
- Proven ability to reproduce and fix application-level vulnerabilities (OWASP Top 10) in production codebases — not just scan and report, but actively remediate
- Strong CI/CD pipeline experience (Jenkins or GitLab CI): building, maintaining, and optimizing build/deploy pipelines with integrated security gates
- Working knowledge of Kubernetes security: pod security standards, RBAC, network policies, secrets management, and admission controllers
- Proficiency in at least one application language used in the product stack (Java, Python, JavaScript/TypeScript, or Go) to conduct code reviews and fix vulnerabilities
- Experience producing compliance evidence and supporting security audits (SOC 2, ISO 27001, or client security questionnaires)
- Strong communication skills: ability to explain vulnerabilities and risk to both developers and non-technical stakeholders
- Experience securing financial services / fintech platforms, particularly systems handling sensitive client data in regulated environments
- Familiarity with DAST tools (OWASP ZAP, Burp Suite) and manual penetration testing techniques
- Knowledge of infrastructure-as-code security scanning (Checkov, tfsec for Terraform templates)
- Experience with cloud security posture management on AWS and/or Azure (GuardDuty, Security Hub, Defender for Cloud)
- Certifications: CEH, OSCP, CISSP, AWS Security Specialty, or CKS (Certified Kubernetes Security Specialist)
- Experience building security champions programs to embed security awareness within development teams
