Senior Application Security Engineer (DevSecOps)
Chicago, Illinois, United States of America
Contract
2 hours ago
Key skills
TypeScriptPythonJavaC#CAWSAzureTerraformKubernetesHelmCloudFormationPrismaAgileSDLCCI/CDLeadershipMentoringCollaborationCheckmarxCloud Security
About this role
Job Description:
Secure Software Development Lifecycle Leadership Lead the integration of security controls into CI/CD pipelines, including static analysis, software composition analysis, dynamic testing, secrets management, and container security workflows.
Define and continuously improve application security quality gates and review procedures in alignment with Modern Engineering SDLC practices.
Lead the integration of application security controls into CI/CD pipelines, including SAST, SCA, DAST, secrets detection, and container security, with automated gating and scalable DevSecOps workflows.
Define and continuously improve application security quality gates and review processes aligned to Modern Engineering SDLC standards, including risk based thresholds, exception handling, and audit ready documentation.
Provide expert guidance on secure architectures and design patterns, advising engineering teams on security tradeoffs for cloud native, microservices, and API driven solutions
Secure Coding Standards & Governance Own the development, maintenance, and enforcement of enterprise secure coding standards.
Align secure coding governance with established Bank technology standards, including SDLC, secure development expectations, and code review procedures.
Ensure teams understand and implement secure-by-default development practices throughout all project phases.
Deep expertise with Static Application Security Testing (SAST) platforms, including scan configuration, custom rule or query tuning, results triage, risk based prioritization, and disciplined false positive suppression with documented justification.
Preferred:
Experience with Checkmarx SAST / Checkmarx ONE, including custom query (CxQL) tuning and enterprise scale result management.
Strong experience with Software Composition Analysis (SCA) tools, covering open source dependency analysis, license compliance, vulnerability assessment, policy configuration, and developer focused remediation guidance. - Preferred: Hands on experience with Checkmarx SCA in CI/CD integrated environments.
Proficiency with Infrastructure as Code (IaC) security scanning across technologies such as Terraform, CloudFormation, Kubernetes, and Helm, including rule tuning and remediation recommendations aligned with cloud security best practices.
Preferred: Experience using Checkmarx KICS for IaC and container configuration scanning.
Hands on experience with Dynamic Application Security Testing (DAST), including scan configuration, authentication handling, API scanning, vulnerability validation, and false positive management.
Demonstrated ability to analyze, validate, and contextualize findings across SAST, SCA, IaC, and DAST tools, translating technical results into clear, actionable, and risk informed remediation guidance for development teams.
Extensive experience integrating application and cloud security tooling into CI/CD pipelines, implementing security gates, and aligning scan outcomes with modern DevSecOps workflows. - Preferred: Experience integrating Checkmarx platforms with CI/CD pipelines and broader cloud or application security ecosystems.
Advanced Secure Code Reviews Perform deep-dive manual and automated secure code reviews for complex, high-risk applications and services.
Identify systemic vulnerabilities and recommend structural code and design improvements.
Serve as the primary escalation point for security concerns raised during code review or pipeline security scans.
Proven background in secure code reviews, vulnerability root-cause analysis, and validating fixes across multiple languages and frameworks.
Proficiency in one or more programming languages (e.g., Java, C#, Python, TypeScript) with a strong understanding of modern application architectures including microservices, APIs, containers, and cloud native platforms.
Threat Modeling & Application Risk Assessments Lead threat modeling sessions for new and existing applications, cloud-native architectures, and major platform initiatives.
Assess application architectures for security gaps and recommend compensating or preventative controls.
Partner with engineering, Cloud, Architecture, and DevOps teams to embed security into design decisions.
Vulnerability Management & Security Advisory Own remediation guidance for high- and critical-severity findings across AppSec scanners, thirdparty assessments, and internal reviews.
Influence prioritization decisions by applying expert judgment to business risk, architectural impact, and threat landscape considerations.
Support program-level improvements to vulnerability lifecycle management across engineering teams.
Technical Leadership & Mentoring Provide coaching and mentoring to Application Security Engineers, developers, and DevOps staff, consistent with expectations for senior Bank engineers.
Advocate for secure engineering practices across teams and promote a strong security culture within the SDLC.
Contribute to enterprise communities of practice, working groups, and secure development initiatives.
Required Qualifications6 8 years of experience in application security, software engineering, product security, or DevOps with a strong security focus, consistent with senior engineer expectations.
Deep expertise in secure software design principles, threat modeling methodologies, and enterprise application security controls.
Extensive experience with CI/CD security integration and DevSecOps tooling (SAST, SCA, DAST, secrets management, container security).
Demonstrated experience performing and leading secure code reviews and providing actionable remediation guidance.
Proficiency in one or more programming languages (e.g., Java, C#, Python, TypeScript) and familiarity with modern application architectures (microservices, containers, APIs, cloud-native).
Preferred Qualifications:
Experience designing or evaluating secure architectures in cloud platforms such as AWS or Azure, aligned with senior engineering expectations in other Bank roles.
Familiarity with enterprise SDLC governance, Agile methodologies, and security-by-design frameworks.
Prior experience leading large-scale DevSecOps initiatives or maturing application security programs.
Relevant certifications such as CISSP, CSSLP, GWEB, or cloud security certifications.
Experience with Checkmarx, Prisma Cloud, Jfrog Xray or similar tools
Experience with common programming languages including C#, Java, and YAML.
Core Competencies:
Advanced problem-solving and analytical capabilities.
Ability to communicate complex security concepts to technical and nontechnical audiences.
Strong collaboration and influence skills; able to drive alignment across engineering, cloud, risk, and security teams.
Demonstrated commitment to continuous improvement, engineering excellence, and secure software delivery.