Application Security SME

Location: Remote

Start Date: Immediate

End Date: To be determined

Key Responsibilities:

• Security Tooling Ownership & Governance:
  • Act as the product owner for application security tooling, including Snyk, Invicti, Intigriti, and Sonatype.
  • Ensure quality, compliance, lifecycle management, updates, and roadmap follow-up.
  • Monitor tool health, SLAs, and dashboards; ensure ongoing maintenance with the Center of Excellence (CoE).
  • Align with development teams, CoE, and platform stakeholders on complex topics.
• Project Ownership:
  • Lead the migration of Invicti to the new platform supporting LLM/GenAI/AI-injection scanning.
  • Lead the migration of Sonatype to SaaS with minimal disruption.
  • Coordinate with internal teams, external partners, and vendors to deliver new capabilities.
• Development Security Reviews:
  • Perform or support Design Security (DS) and Code Review Reports (CRR).
  • Provide guidance on security questions from developers, project managers, and architects.
• Threat Modeling:
  • Lead, perform, or review threat models for custom development projects.
  • Help teams identify security risks early using defined methodologies.
• Cross-Team Collaboration & Continuous Improvement:
  • Collaborate weekly with the CoE on application security topics and standards.
  • Contribute to process improvements, automation, and team enablement/training.

Required Skills & Experience:

• Strong hands-on experience with application security tools such as Snyk, Invicti, Sonatype, Bug Bounty (Intigriti), or comparable platforms.
• Experience in secure Software Development Life Cycle (SDLC), secure coding practices, and application security assessments.
• Knowledge and practical experience with threat modeling methodologies (e.g., STRIDE, attack trees).
• Ability to collaborate across engineering, development, CoE teams, and external partners.
• Advantageous: exposure to GenAI/LLM security concerns (e.g., AI-prompt injection scanning).
• Strong analytical, communication, and documentation skills.

Candidates with a development background are preferred, as effective communication with development teams is essential. While detailed knowledge of all security tools is not mandatory, familiarity with them or similar tools is desirable.

Please note that occasional on-site presence may be required when the manager is in the country.