Job Description

• Department Engineering

• Reports To Director Engineering

• Team Size 1–2 Direct Reports

• Scope - AppSec + DevSecOps

We are looking for a Sr. SecOps & AppSec Lead to own and drive security operations across the entire product lifecycle — from code commit through build, deployment, and production. You will manage our security scanning pipeline (Veracode, SonarQube, Trivy), identify and remediate vulnerabilities in application code and open-source dependencies, upgrade libraries to eliminate known CVEs, and work hands-on to fix application security issues alongside development teams.

This role blends application security engineering with DevOps pipeline management. You will not just report vulnerabilities — you will reproduce them, assess their real-world exploitability in our context, and either fix them yourself or guide developers through remediation. You will also own CI/CD pipeline health, ensuring security gates are embedded into every build without becoming a bottleneck. Additionally, you will lead 1–2 junior engineers, building a small but effective security operations practice.

Key Responsibilities

Security Scanning & Pipeline Management

• Own and manage the end-to-end security scanning pipeline: SAST (Veracode, SonarQube), SCA (Veracode SCA / Snyk / OWASP Dependency-Check), and container image scanning (Trivy)

• Configure, tune, and maintain scanning policies — reduce false positives, set severity thresholds, and define quality gates that block vulnerable builds from promotion

• Integrate security scans seamlessly into CI/CD pipelines (Git runner/GitLab CI) so that every pull request and release build is automatically validated without slowing developer velocity

• Maintain dashboards and reporting on vulnerability trends, scan coverage, mean-time-to-remediate (MTTR), and open risk posture across the product portfolio

• Evaluate and onboard new security tools as the threat landscape and technology stack evolve

Vulnerability Identification, Reproduction & Remediation

• Triage vulnerability findings from SAST/SCA/container scans — assess real-world exploitability in the context of the our platform, not just CVSS scores

• Reproduce open-source and third-party library vulnerabilities in controlled environments to validate their impact and determine whether the vulnerable code path is actually reachable in our product

• Hands-on fix application security issues: SQL injection, XSS, CSRF, insecure deserialization, broken authentication, SSRF, path traversal, and other OWASP Top 10 vulnerabilities in the application codebase

• Plan and execute library upgrades to remediate known CVEs in open-source dependencies — assess compatibility impact, coordinate with development teams, and validate that upgrades do not introduce regressions

• Manage a vulnerability backlog with clear prioritization (critical/high exploitable vs. low-risk theoretical), SLA tracking, and regular reporting to engineering leadership

Application Security Engineering

• Conduct security code reviews for high-risk features: authentication/authorization flows, API security, data encryption, secrets management, and inter-module communication (API/MQ)

• Define and enforce secure coding standards and guidelines for the development teams, covering input validation, output encoding, parameterized queries, secure session management, and cryptographic practices

• Perform or coordinate DAST (Dynamic Application Security Testing) and periodic penetration testing, managing findings through to closure

• Review and harden Kubernetes deployment configurations: pod security policies/standards, network policies, RBAC, secrets management (Vault/Sealed Secrets), and container runtime security

• Ensure secure handling of sensitive financial data in transit and at rest, aligned with client security requirements and regulatory expectations

CI/CD Pipeline Ownership & DevOps

• Co-own CI/CD pipeline infrastructure (Git runner/GitLab CI): build pipeline optimization, artifact management, deployment automation, and environment provisioning

• Implement and maintain infrastructure-as-code for security tooling (Terraform/Helm charts for scanning infrastructure, policy-as-code for compliance checks)

• Manage Docker image lifecycle: base image hardening, image scanning in registries, tag governance, and ensuring minimal-footprint production images

• Automate security compliance checks: license scanning for open-source dependencies, secrets detection in code repositories (GitLeaks/TruffleHog), and configuration drift detection

• Support deployment pipelines for Kubernetes environments: Helm chart security, admission controllers, and runtime protection integration

Compliance, Audit & Governance

• Support compliance efforts (SOC 2, ISO 27001, or client-specific security assessments) by providing evidence of security controls, scan reports, and remediation records

• Coordinate with external penetration testing firms: scope definition, environment preparation, finding triage, and remediation tracking

• Maintain security documentation: threat models, security architecture diagrams, incident response runbooks, and vulnerability management procedures

• Produce regular security posture reports for engineering leadership and client-facing teams, translating technical findings into business risk language

Team Leadership & Security Culture

• Lead, mentor, and develop 1–2 junior SecOps/AppSec engineers, establishing workflows, review processes, and growth paths

• Drive a security-aware culture across engineering: conduct threat modeling workshops, secure coding training sessions, and brown-bag presentations on real-world vulnerabilities

• Create and maintain internal security knowledge base: remediation playbooks, common vulnerability patterns in the codebase, and library upgrade guides

Required Qualifications

• 5–8 years of hands-on experience in application security, SecOps, or DevSecOps for enterprise software products

• Strong experience with SAST tools (Veracode and/or SonarQube): policy configuration, scan management, false positive tuning, and developer-facing remediation guidance

• Hands-on experience with SCA (Software Composition Analysis): identifying vulnerable open-source libraries, assessing exploitability, planning and executing library upgrades across large codebases

• Experience with container security scanning (Trivy, Aqua, or Prisma Cloud) and Docker image hardening best practices

• Proven ability to reproduce and fix application-level vulnerabilities (OWASP Top 10) in production codebases — not just scan and report, but actively remediate

• Strong CI/CD pipeline experience (Jenkins or GitLab CI): building, maintaining, and optimizing build/deploy pipelines with integrated security gates

• Working knowledge of Kubernetes security: pod security standards, RBAC, network policies, secrets management, and admission controllers

• Proficiency in at least one application language used in the product stack (Java, Python, JavaScript/TypeScript, or Go) to conduct code reviews and fix vulnerabilities

• Experience producing compliance evidence and supporting security audits (SOC 2, ISO 27001, or client security questionnaires)

• Strong communication skills: ability to explain vulnerabilities and risk to both developers and non-technical stakeholders

Preferred Qualifications

• Experience securing financial services / fintech platforms, particularly systems handling sensitive client data in regulated environments

• Familiarity with DAST tools (OWASP ZAP, Burp Suite) and manual penetration testing techniques

• Knowledge of infrastructure-as-code security scanning (Checkov, tfsec for Terraform templates)

• Experience with cloud security posture management on AWS and/or Azure (GuardDuty, Security Hub, Defender for Cloud)

• Certifications: CEH, OSCP, CISSP, AWS Security Specialty, or CKS (Certified Kubernetes Security Specialist)

• Experience building security champions programs to embed security awareness within development teams