Senior Application Security Engineer

• Architect and integrate security into CI/CD pipelines using modern automation and guardrails.
• Develop secure frameworks, SDKs, and CI integrations to enable frictionless adoption of security controls.
• Maintain secure coding standards and guidance tailored to our technology stack.
• Collaborate with DevOps and platform teams to enhance container and infrastructure security (Docker, Kubernetes, IaC).

• Lead threat modeling workshops across product and platform teams.
• Identify and assess vulnerabilities using SAST, DAST, SCA, manual code reviews, and penetration testing.
• Promote reusable remediation patterns for code and infrastructure vulnerabilities.
• Leverage threat intelligence to prioritize mitigations based on business risk.

• Build and maintain automation tools for vulnerability triage, mitigation, and reporting.
• Strengthen API security through robust authentication protocols (OAuth 2.0, OpenID Connect, SAML).
• Integrate with API gateways (e.g., Layer7, MuleSoft) to enforce secure communication and tokenization.
• Support secure deployment of microservices and distributed systems using best-in-class tooling.

• Mentor engineers and analysts, fostering secure development capabilities across teams.
• Lead internal workshops, onboarding sessions, and lunch-and-learns to promote security awareness.
• Collaborate with Security Champions to build advocacy and threat modeling expertise.
• Create internal documentation, playbooks, and training materials aligned with real-world threats.

• Act as a bridge between Security, Engineering, and Product teams to align on secure architecture and SDLC practices.
• Participate in incident response, forensic analysis, and post-incident remediation.
• Support compliance initiatives (SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR) through technical guidance and documentation.
• Define and track KPIs to measure and improve security maturity across the organization.

• 5+ years in application security, software engineering, or a related technical security role.
• Proficient in at least one modern programming language (e.g., Java, C#, Python, JavaScript).
• Experience with security tools: SAST, DAST, SCA, IaC scanners, RASP.
• Strong knowledge of cloud infrastructure (AWS preferred), containers (Docker, Kubernetes), and CI/CD security.
• Familiarity with OWASP Top 10, ASVS, CVSS, MITRE ATT&CK, STRIDE, and software supply chain security.

• Deep understanding of API security protocols and secure service-to-service communication.
• Experience with secure artifact/package management and container registries.
• Ability to script or build internal tools to scale security practices.
• Hands-on experience with DevSecOps tools (GitHub Actions, Jenkins, GitLab CI, Terraform, etc.).

• Working knowledge of privacy and security regulations (GDPR, CCPA, HIPAA, PCI, SOC 2, ISO 27001).
• Experience supporting audits, risk assessments, and policy development.

• Professional certifications (e.g., OSCP, CSSLP, CISSP, Security+).
• Contributions to open-source security projects or community involvement.
• Experience with policy-as-code tools (e.g., Open Policy Agent).
• Familiarity with secure runtimes (e.g., Firecracker), sidecars, or service meshes (e.g., Istio).

• Strategic thinker with a hands-on, problem-solving mindset.
• Strong communicator, able to engage both technical and non-technical stakeholders.
• Collaborative leader with a growth mindset and a passion for mentoring.
• Comfortable navigating fast-paced, cross-functional environments.

Unum