Key skills
Static Application Security Testing (SAST)Dynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Software Bill of Materials (SBOM)Secrets ManagementCloud SecurityAWSAzureCloud Security Posture Management (CSPM)Branch ProtectionCode SigningRepository Security ControlsPythonGoBashSecure Software Development Lifecycle (SSDLC)Threat Modeling (STRIDE)NIST CSFNIST 800-53CIS BenchmarksOWASP Top 10SANS 25GCPKubernetesJenkinsGitHub ActionsVaultIAMAzure DevOpsPrismaGitHubSource ControlRepositorySDLCCI/CDLeadershipSnykSonarQubeCheckmarxOWASPNetwork Security
About this role
Hexion is a global leader in specialty chemicals, and they are seeking a Senior Security Engineer to enhance their security engineering function. This role involves architecting and operationalizing security across software development pipelines, cloud environments, and enterprise systems, ensuring that security is integrated throughout the software development lifecycle.
Responsibilities:
- Own the selection, deployment, tuning, and continuous operation of application security testing tools:
- Implement and manage Static Application Security Testing (SAST) tools integrated into CI/CD pipelines (e.g., Checkmarx, Synk, Semgrep, SonarQube, Veracode)
- Deploy and operate Dynamic Application Security Testing (DAST) solutions for runtime vulnerability detection (e.g., OWASP ZAP, Burp Suite Enterprise, Checkmarx)
- Integrate Software Composition Analysis (SCA) to identify vulnerabilities in open-source dependencies (e.g., Snyk, Black Duck, Dependabot)
- Establish triage workflows, severity thresholds, and developer-facing remediation guidance
- Track vulnerability metrics and report on risk reduction trends to security leadership
- Build and govern the enterprise SBOM program:
- Define SBOM generation standards across all software
- Integrate SBOM generation into build pipelines as a gating control
- Maintain SBOM inventory and correlate with known vulnerability feeds (NVD, OSV, CVE)
- Support regulatory and customer-facing SBOM disclosure requirements
- Advise engineering teams on dependency hygiene and license compliance
- Embed security natively into CI/CD pipelines and developer workflows:
- Design and enforce pipeline security gates — no build ships without passing defined security checks
- Implement pre-commit hooks, PR scanning, and automated security feedback loops
- Define and enforce secure pipeline configurations across GitHub Actions, Azure DevOps, Jenkins, or equivalent
- Govern pipeline access controls, service account permissions, and artifact signing
- Partner with platform engineering to harden build infrastructure and runner environments
- Operate enterprise secrets management:
- Leverage and manage secrets management solutions (Delina, CyberArk, AWS Secrets Manager, Azure Key Vault)
- Eliminate hardcoded credentials across codebases — implement detection and remediation pipelines
- Define secrets rotation policies, access controls, and audit logging standards
- Integrate secrets injection into CI/CD pipelines and application runtimes
- Conduct periodic secrets sprawl audits and enforce zero standing secrets in code repositories
- Establish and enforce secure source control practices:
- Define branch protection standards for master/main and sub-branches (required reviewers, status checks, signed commits)
- Govern repository access policies, least-privilege permissions, and PAT/token lifecycle
- Implement code scanning and secret detection on all branches, not just main
- Enforce code signing and supply chain integrity controls for release pipelines
- Audit and report on code repository posture across all engineering teams
- Own cloud security architecture and posture management:
- Deploy and operate Cloud Security Posture Management (CSPM) tooling (e.g., Wiz, Prisma Cloud, AWS Security Hub, Defender for Cloud)
- Define and enforce cloud security baselines across AWS, Azure, and/or GCP environments
- Enable IAM policies, network segmentation, resource tagging, and encryption standards
- Monitor for misconfigurations, excessive permissions, and drift from approved baselines
- Integrate cloud security findings into enterprise risk and vulnerability management programs
- Define and enforce security baselines across the enterprise:
- Author and maintain security configuration baselines aligned to CIS Benchmarks and internal policy
- Implement automated baseline compliance validation across cloud, OS, container, and application layers
- Translate security policy into enforceable technical controls — policy as code where applicable
- Partner with compliance and risk teams to align technical baselines to regulatory requirements (SOC 2, ISO 27001)
- Champion security throughout the entire development lifecycle:
- Define and operationalize SSDLC practices across all engineering teams — from design through deployment
- Conduct threat modeling workshops with product and engineering teams for new systems and features
- Develop security requirements, security user stories, and abuse cases for inclusion in sprint planning
- Establish security review gates at key SDLC milestones (architecture review, pre-release, post-incident)
- Work across teams to make security a shared responsibility:
- Serve as the primary security engineering liaison to application development, platform engineering, and DevOps teams
- Partner with the Security Operations Center (SOC) to connect pipeline telemetry with detection and response workflows
- Collaborate with GRC and risk teams to translate findings into risk-language for executive reporting
- Engage with third-party vendors and open-source communities to stay current on tooling and threat intelligence
Requirements:
- Bachelor's degree in Computer Science, Information Security, Software Engineering, or related field (Master's preferred)
- 7+ years of experience in security engineering, application security, application development, or DevSecOps roles
- Hands-on experience deploying and operating SAST, DAST, and SCA tooling in enterprise CI/CD environments
- Demonstrated experience building and managing SBOM programs at scale
- Deep expertise in secrets management platforms (AWS Secrets Manager, or equivalent)
- Strong cloud security experience across AWS, Azure, including IAM, network security, and CSPM tooling
- Experience defining and enforcing branch protection, code signing, and repository security controls
- Proficiency in one or more scripting/programming languages (Python, Go, Bash, or equivalent) for automation and tooling
- Working knowledge of SSDLC frameworks, threat modeling methodologies (STRIDE), and security requirements engineering
- Familiarity with security frameworks and standards: NIST CSF, NIST 800-53, CIS Benchmarks, OWASP Top 10, SANS 25
- Experience with Policy-as-code tooling (OPA/Rego, Sentinel, Checkov, Terrascan)
- Container and Kubernetes security (image scanning, admission controllers, runtime security with Falco or equivalent)
- Security champion program design and developer enablement
- Enterprise vulnerability management and risk-based prioritization programs
- Certifications (any of the following valued): CISSP, CSSLP, GWEB, GWAPT, AWS Security Specialty, Microsoft Security Engineer Associate, CCSP