Senior/Lead Security Engineer

Security Engineer - Application Security, Network/WebApp Penetration Testing

Location: Dallas TX or Chicago IL

Compensation: $130,000 - $190,000 base + bonus + benefits

This role is part of a collaborative security team working alongside IT and software development groups to enhance and maintain the security posture of enterprise applications and systems. The position focuses on integrating security into the software development lifecycle, automating security processes, and conducting assessments across both cloud and on-premises environments.

Key Responsibilities:

• Conduct security assessments for networks, applications, and web platforms.
• Develop and maintain automation scripts to streamline security operations.
• Identify, document, and communicate security vulnerabilities and risks.
• Support secure development practices across legacy and modern cloud-native environments.

Core Duties:

Application Security & Secure Development Lifecycle (SDLC):

• Build and refine security tooling (e.g., SAST, DAST, SCA, IaC).
• Integrate security tools into CI/CD pipelines and developer workflows.
• Design and implement a secure SDLC framework tailored to agile delivery models.
• Automate security checks to ensure continuous visibility and compliance.
• Establish threat modeling and secure design review processes.
• Address security concerns in supply chain, AI/ML, and open-source components.
• Analyze vulnerability reports and conduct risk assessments.
• Manage and operate both cloud-based and self-hosted security scanning tools.
• Facilitate code review sessions to reduce false positives and promote collaboration.
• Support the implementation and management of vulnerability tracking tools.
• Conduct independent security reviews of internal applications.
• Provide remediation guidance and debrief stakeholders on findings.
• Ensure alignment with industry standards, regulatory requirements, and internal policies.
• Review application releases to verify secure code deployment.
• Develop automation to assist teams in interpreting and remediating vulnerabilities.
• Perform additional duties as needed.

Qualifications:

Required:

• Hands-on experience with CI/CD tools (e.g., Docker, Jenkins, GitHub, Terraform).
• Strong analytical and problem-solving skills.
• Technical background in enterprise IT and security technologies.
• Familiarity with cloud platforms (AWS, Azure, GCP) and associated security practices.
• Understanding of compliance frameworks (e.g., NIST, PCI, HIPAA).
• Knowledge of cryptographic principles and enterprise infrastructure.
• Ability to read and modify code in multiple programming languages.

Technical Expertise:

• In-depth knowledge of web, API, and cloud vulnerabilities (e.g., OWASP Top 10).
• Familiarity with secure coding practices across languages like Python, Java, JavaScript.
• Understanding of platform engineering and cloud-native security models.
• Proficiency in identifying and mitigating application-layer threats.
• Experience with API security (REST, GraphQL), Postman, and artifact repositories.
• Knowledge of shift-left security strategies and early-stage controls.
• Familiarity with Kubernetes, container security, and infrastructure as code.
• Ability to prioritize vulnerabilities based on risk and business impact.
• Strong scripting and automation skills (e.g., Python, PowerShell, Bash).
• Exposure to penetration testing tools and techniques.
• Experience with diverse operating systems and network platforms.
• Familiarity with application frameworks and their built-in security features.
• Understanding of security architecture principles and automated scanning tools.
• Knowledge of authentication, authorization, and auditing best practices.
• Experience with identity and access management systems (e.g., LDAP, Active Directory).

Education & Experience:

• Bachelor's degree in Computer Science, Information Security, or a related field.
• Minimum of 5 years of experience in application or information security.
• Experience with scripting and containerized environments in CI/CD pipelines.
• Exposure to secure architecture design and security best practices.

Certifications (Preferred):

• Security certifications such as CISSP, CISA, CRISC, OSCP, GPEN, or similar.
• Cloud security certifications (e.g., GCSA).
• Penetration testing certifications (e.g., OSCP, GWAPT).