Department: Information Technology
Employment Type: Full Time
Location: Remote
Compensation: $150,000 - $180,000 / year
At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.
Thorne is seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle.
Application & Ecommerce Security · Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices) · Address OWASP Top 10 and ecommerce-specific risks, including: o Injection (SQL/NoSQL), XSS, CSRF
o Broken authentication / session management
o Business logic flaws (checkout, pricing, promotions, abuse scenarios)
o Account takeover, credential stuffing, bot attacks
· Secure checkout flows, payment integrations, subscriptions, and customer data handling
· Conduct secure code reviews and support threat modeling for new features
API & Integration Security
· Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
· Prevent API abuse, scraping, and data exfiltration
· Implement and enforce secure patterns (OAuth2, JWT, token management)
DevSecOps & CI/CD Security
· Implement and manage security tooling in CI/CD pipelines:
o SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
· Secure build and deployment pipelines
· Enforce secure coding standards and automate policy checks
· Own infrastructure-as-code security (Terraform) for app environments
AWS Cloud Security (Critical)
· Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
· Implement and validate:
o IAM roles and least privilege access
o Network segmentation (VPCs, security groups, private/public boundaries)
o Secrets management (AWS Secrets Manager, Parameter Store)
o Data protection (encryption at rest/in transit)
· Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Runtime Protection & Detection
· Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
· Partner with Infra on CrowdStrike coverage for application workloads
· Support detection and response improvements for:
o Web/app-layer attacks
o API abuse
· Triage and remediate findings from:
o Pen tests
o Purple team exercises
o Assumed breach scenarios
Security Program Execution
· Translate security findings into prioritized engineering work
· Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
· Drive adoption of security best practices across engineering teams
· Act as a bridge between Ecom, Infrastructure, and external security partners
Application & Ecommerce Security
· Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices) · Address OWASP Top 10 and ecommerce-specific risks, including:
· Secure checkout flows, payment integrations, subscriptions, and customer data handling · Conduct secure code reviews and support threat modeling for new features
API & Integration Security
· Secure REST/GraphQL APIs (authentication, authorization, rate limiting) · Prevent API abuse, scraping, and data exfiltration · Implement and enforce secure patterns (OAuth2, JWT, token management)
DevSecOps & CI/CD Security · Implement and manage security tooling in CI/CD pipelines:
· Secure build and deployment pipelines · Enforce secure coding standards and automate policy checks · Own infrastructure-as-code security (Terraform) for app environments
AWS Cloud Security (Critical) · Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS) · Implement and validate:
· Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Runtime Protection & Detection · Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces · Partner with Infra on CrowdStrike coverage for application workloads · Support detection and response improvements for:
· Triage and remediate findings from:
Security Program Execution · Translate security findings into prioritized engineering work · Partner with external security testing partners on risk prioritization (CTRM) tied to business impact · Drive adoption of security best practices across engineering teams · Act as a bridge between Ecom, Infrastructure, and external security partners
Thorne is the leader in science-backed health and wellness solutions built to connect the science of performance with the science of people. As the top recommended clinical brand by health-care practitioners, Thorne offers a comprehensive range of nutritional supplements and innovative technology tools including Taia™ – Thorne’s AI-powered wellness advisor – empowering individuals to take control of their health and wellness journey with confidence.
Founded in 1984, Thorne develops products with high-quality ingredients, guided by clinical research and an in-house team of doctors, researchers, and scientists to ensure every formula meets rigorous standards for purity, potency, and efficacy. Thorne maintains a vertically integrated model, setting the industry standard for supplement manufacturing at its own facility in South Carolina.
Trusted by tens of thousands of health-care professionals, thousands of professional athletes, 100+ professional sports teams and multiple U.S. National Teams, and over seven million consumers, Thorne is a trusted partner bringing scientific rigor to everyday health and wellness.
The key to our success is a user-centric approach that always puts the individual at the center of our operations. From our distinguished researchers to our elite customer-care team, every individual at Thorne has a first-hand opportunity to make a difference.
We are always looking for new ways to innovate, and there is plenty of room for you to leave your mark here. If you’re an individual that embraces challenge, fosters innovation, and desires to make a difference in the world – then join us.
