Own the application security strategy and roadmap across products and platforms, aligned to business risk and compliance obligations (e.g., ISO 27001, NIST).
Work with Group Architect to set and govern secure SDLC standards.
Influence senior engineering leadership on security architecture decisions, backlog prioritization, and risk acceptance.
Lead and mature SAST, DAST, SCA usage, with policy-as-code and pipeline gating where appropriate.
Conduct lightweight threat modelling and design reviews for new features and critical services (APIs, microservices, containers, serverless).
Guide and unblock remediation of complex vulnerabilities in first party code and third-party libraries, providing developer ready fixes and patterns.
Direct and coordinate penetration testing (internal or partner-led); define scope, success criteria, and exec level reporting.
Lead the response to zero-day events affecting our stack: assess exposure, coordinate mitigations, communication, and after-action reviews.
Requirements
Proven background in software engineering (e.g., .NET, Java, JavaScript/TypeScript, Python) and secure coding practices.
Strong experience operating and integrating SAST/DAST/SCA and AppSec controls into CI/CD.
Understanding of modern architectures: APIs, microservices, containers (Docker/K8s), serverless, secrets management, identity and access.
Hands-on with penetration testing methods and tooling (e.g., OWASP, Burp Suite, ZAP); able to set test charters and interpret results.
Practical experience with vulnerability scanners and endpoint/cloud security platforms (Qualys/Tenable, Defender for Endpoint), plus asset/coverage hygiene.
Skilled at triage and risk framing, mapping to business impact and SLAs.