Key skills
JavaScriptPythonJavaC#CAWSAzureGCPKubernetesDockerGitHubSDLCCommunicationSnykSonarQubeCheckmarxOWASPPenetration TestingCloud Security
About this role
UNFI is North America’s premier grocery wholesaler, delivering a wide variety of products to community grocers and retail chains. They are seeking a Senior Cybersecurity Engineer (Application Security) responsible for protecting software applications from threats by embedding security practices into the software development lifecycle and collaborating with various teams to ensure secure application development.
Responsibilities:
- Conduct security-focused code reviews, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST)
- Triage and prioritize findings from automated security scans and penetration testing results; provide actionable remediation guidance to developers
- Collaborate with software development teams to integrate security tools and best practices into CI-CD pipelines (e.g., secret scanning, dependency checking, secure coding standards)
- Develop and maintain security tools, scripts, frameworks, and automation to scale application security efforts
- Support vulnerability assessments, penetration testing, and red team exercises on applications
- Provide security consulting and training to development teams on secure coding practices, common vulnerabilities (e.g., OWASP top 10), and emerging threats
- Monitor emerging application security trends, vulnerabilities (e.g., CVEs), and attack techniques; contribute to incident response when application exploits occur
- Ensure applications align with relevant standards and regulations (e.g., NIST, OWASP, PCI-DSS, SOC 2)
- Create and update security documentation, policies and threat models as needed
- Compiles and analyzes data for management reporting and metrics as directed
- Demonstrates expert-level knowledge and skills in the technical, process, organizational, and philosophical aspects of application security
- Performs other duties as assigned
Requirements:
- BA/BS in Computer or Cybersecurity domain
- Relevant certifications such as OSCP, GWAPT, CSSLP, CEH, CISSP, or cloud security certs (e.g., AWS Security Specialty)
- 6+ years of experience in application security, secure software development, penetration testing, or related cybersecurity roles, in a large, highly diverse, and distributed environment
- Strong understanding of web application vulnerabilities, OWASP top 10, and secure coding principles
- Proficiency in at least one or more programming languages (e.g., Python, Java, JavaScript, C#)
- Hands-on experience with AppSec tools such as: SAST: SNYK, Veracode, SonarQube, Checkmarx, CodeQL; DAST: SNYK, OWASP ZAP, Burp Suite, Veracode; SCA: Snyk, Dependabot, Black Duck, OWASP Dependency-Check; Other: Wiz, GitHub Advanced Security, or similar
- Familiarity with cloud platforms (AWS, Azure, GCP) and container/orchestration technologies (Docker, Kubernetes)
- Experience with DevSecOps practices and integrating security into CI-CD pipelines
- Knowledge of secure SDLC methodologies, threat modeling (e.g., STRIDE, PASTA), and secure design patterns
- Excellent written, verbal, and interpersonal communication skills – able to explain technical security issues to non-technical stakeholders and collaborate effectively with developers
- Analytical mindset with strong problem-solving abilities
- Proactive, detail-oriented, and able to manage multiple priorities
- Ability to translate technical findings into actionable insights
- Ability to mentor junior staff and transfer technical knowledge as well as contribute to the team's knowledge sharing
- Strong independent direction and ability to multi-task
- Flexible and adaptable to learning and understanding new technologies
- Ability to work extremely well under pressure while maintaining a professional image and approach
- Team player with proven ability to work effectively with other business units, IT management and staff, vendors, and consultants
- Exceptional information analysis abilities: ability to perform independent analysis and distill relevant findings and root cause
- Comfortable discussing complex findings and issues with variety of audiences, including C‑suite level
- Self-driven and able to reach deadlines on-time with minimal direction
- Passion for cybersecurity and staying current with evolving threats