Thorne is dedicated to delivering high-quality, science-backed solutions for individual well-being. The Senior DevSecOps / Security Engineer will design and implement security measures across Thorne's digital ecosystem, ensuring security is embedded throughout the software development lifecycle and protecting customer data.
Responsibilities:
- Lead application security initiatives across Thorne's ecommerce platforms, mobile applications, APIs, and cloud-native services
- Identify, assess, and remediate application vulnerabilities in Java-based applications, including Spring Boot services, microservices, and APIs, while addressing OWASP Top 10 risks and ecommerce-specific threats
- Secure critical customer-facing functionality, including checkout, payment processing, subscription services, authentication, and customer data protection
- Perform secure code reviews, threat modeling, and architecture assessments to ensure new applications and features are designed with security from the outset
- Design and implement secure REST and GraphQL APIs by enforcing authentication, authorization, rate limiting, and secure token management using modern standards such as OAuth2 and JWT
- Secure AWS-hosted application environments, including EKS/ECS, EC2, Lambda, API Gateway, S3, and RDS, by implementing cloud security best practices for identity, networking, secrets management, and data protection
- Collaborate with Infrastructure teams to ensure application-layer cloud security aligns with enterprise security architecture, governance, and operational standards
- Embed security throughout the software development lifecycle by integrating SAST, DAST, Software Composition Analysis (SCA), secrets scanning, and other automated security controls into CI/CD pipelines
- Secure build and deployment processes while establishing automated policy enforcement and secure coding standards
- Develop and maintain Infrastructure-as-Code security practices using Terraform and other cloud automation tools
- Implement and optimize runtime security controls, including Web Application Firewalls (WAF), bot mitigation, rate limiting, and application-layer monitoring for ecommerce environments
- Partner with Infrastructure and Security Operations teams to improve detection, monitoring, and response capabilities for application attacks, API abuse, and emerging threats
- Investigate, prioritize, and remediate security findings identified through penetration testing, purple team exercises, vulnerability assessments, and assumed breach scenarios
- Translate security assessments and vulnerability findings into prioritized engineering initiatives based on business risk and customer impact
- Partner with Engineering, Ecommerce, Infrastructure, Product, and external security partners to drive adoption of secure development practices and continuous security improvements
- Serve as a trusted security advisor by promoting secure-by-design principles, mentoring engineering teams, and helping build a security-first engineering culture
- Identify, assess, and remediate security vulnerabilities across Java-based applications, including Spring Boot services, APIs, and microservices
- Protect customer-facing ecommerce platforms by mitigating OWASP Top 10 vulnerabilities and ecommerce-specific threats, including injection attacks (SQL/NoSQL), cross-site scripting (XSS), cross-site request forgery (CSRF), authentication
Requirements:
- Bachelor's degree in Computer Science, Cybersecurity, Information Systems, Engineering, or a related technical discipline; equivalent professional experience will also be considered
- 5+ years of experience in DevSecOps, Security Engineering, DevOps, Application Security, or a related cybersecurity role
- Experience securing Java-based web applications, including Spring Boot, microservices, and distributed application architectures
- Experience designing and implementing security controls within AWS cloud environments
- Deep understanding of secure software development principles, OWASP Top 10 vulnerabilities, and modern application security best practices
- Experience implementing DevSecOps controls within CI/CD pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and secrets management
- Strong knowledge of API security, including OAuth2, JWT, authentication, authorization, and rate-limiting strategies
- Experience securing Infrastructure-as-Code (Terraform preferred) and cloud-native application environments
- Familiarity with AWS security services, Web Application Firewalls (WAF), bot mitigation technologies (e.g., Cloudflare), and endpoint security solutions such as CrowdStrike
- Strong ownership mindset with the ability to lead security initiatives from assessment through remediation and continuous improvement
- Ability to balance security, performance, and business objectives while enabling rapid software delivery
- Excellent analytical and problem-solving skills with a pragmatic, hands-on approach to addressing complex security challenges
- Strong collaboration and communication skills with the ability to partner effectively across Engineering, Ecommerce, Infrastructure, Product, and external security partners
- Self-motivated and execution-focused, with the ability to manage multiple priorities in a fast-paced environment
- Passion for continuous learning and staying current with evolving cybersecurity threats, technologies, and industry best practices
- Experience supporting ecommerce platforms or other high-availability, customer-facing applications is preferred
- Professional security certifications such as AWS Security Specialty, CISSP, CSSLP, or comparable certifications are preferred
- Experience securing containerized environments, including Kubernetes and Amazon EKS, is preferred
- Familiarity with emerging security considerations related to AI-enabled applications and large language models (LLMs) is a plus