About the Role
As the Application Security SME, you will be the primary authority on AppSec best practices across SaaS and digital-facing solutions. You will manage the AppSec toolchain (SonarQube, Nexus, Trivy), lead VA/PT efforts, and embed security throughout the SDLC and CI/CD pipelines. This is a hands-on role with high ownership and impact.
Key Responsibilities
- Lead vulnerability assessments and penetration testing across applications and APIs.
- Manage AppSec tools including SonarQube, Trivy, and Nexus.
- Implement DevSecOps and API security controls across the SDLC.
- Secure containerized applications running on Red Hat OpenShift (RHOCP).
- Conduct manual and automated code reviews.
- Perform threat modeling and risk analysis for new applications and major changes.
- Govern AppSec processes using the RACI model.
- Provide remediation guidance and secure coding training to development teams.
- Manage vulnerability lifecycle and report key AppSec metrics to leadership.
- Support external penetration testing and bug-bounty programs.
- Maintain, tune, and improve AppSec tooling and security posture.
Must-Have Qualifications
- 8+ years of experience in Application Security, DevSecOps, or VA/PT.
- Hands-on experience with SonarQube (SAST).
- Hands-on experience with Trivy for container image scanning.
- Experience with Nexus Repository for artifact security.
- Strong background in VA/PT for SaaS or digital-facing apps.
- Knowledge of OWASP Top 10 and SANS Top 25.
- Experience securing applications on RHOCP.
- Experience implementing API security controls.
- Ability to collaborate with engineering/DevOps teams within the SDLC.
Good-to-Have
- Certifications in DevSecOps and VAPT.
- Experience using ITSM service management tools.
- Experience running or supporting bug bounty programs.
