POSITION SUMMARY

The Senior Cyber Security Engineer - AppSec is a pivotal role within the Information Security department and is entrusted to develop and implement robust security frameworks across the organization. You will collaborate with cross-functional teams to design and enhance our cybersecurity defense, ensuring compliance with regulatory compliance & industry standards, and leading initiatives to align with Cyber Security standards. The Senior Security Architect work assignments involve moderately complex to complex issues where the analysis of situations or data requires an in-depth evaluation of variable factors.

JOB ROLE AND RESPONSIBILITIES

• Collaborate and guide technical teams on information security practices.
• Secure enterprise information by determining security requirements; planning, preparing security standards, policies, and procedures.
• Integrate security testing tools (SAST, DAST, SCA, IaC scanners) into CI/CD pipelines and ensure results are actionable and prioritized.
• Support or lead a Security Champions program to improve AppSec maturity across development teams.
• Collaborate with incident response teams for application-layer incident investigations and perform root cause analysis for vulnerabilities.
• Develop security training content and provide hands-on guidance to developers for secure coding practices.
• Evaluate and recommend security tools and automation platforms that support vulnerability management, secrets detection, and runtime protection.
• Develop metrics and KPIs to track application security posture, tool coverage, and vulnerability remediation timelines.
• Determine security requirements by evaluating business strategies and requirements; researching information security standards; conducting system security and vulnerability analyses and risk assessments; studying architecture/platform; identifying integration issues; preparing cost estimates.
• Act as a security SME on application and infrastructure projects, ensuring security considerations are integrated throughout the SDLC and DevSecOps pipelines.
• Ensure all acquired and developed systems and architectures align with the organization's established cybersecurity architecture guidelines and standards.
• Collaborate with developers to implement secure coding practices, threat modeling, and secure design patterns in both greenfield and legacy systems.
• Identify security design gaps in existing and proposed architectures and recommend changes or enhancements.
• Conduct threat modeling and risk analysis of business workflows and data flows, identifying and mitigating risks across APIs, third-party integrations, and user interactions.
• Continuously assess the state of the information security program using the Cybersecurity Framework(s) to identify gaps and works with appropriate stakeholders to remediate deficiencies.
• Ensure systems and applications are implemented with compensating controls to meet regulatory requirements (GLBA, etc.) as well as other industry compliance (PCI) requirements.
• Participate in infrastructure and application project teams providing consultation on information security designs.
• Review and define requirements for information security solutions.
• Research emerging technologies in support of security enhancement and development efforts.
• Perform project leadership tasks on select security projects.

COMPETENCE REQUIREMENTS

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Qualifications include:

• Strong understanding of Secure Software Development Lifecycle (SSDLC) and how to embed security across all phases
• Expertise in application vulnerability classes (e.g., OWASP Top 10, CWE) and their mitigations
• Proficiency in security testing techniques:
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Software Composition Analysis (SCA)
• Interactive Application Security Testing (IAST)
• Skilled in performing and facilitating threat modeling (e.g., STRIDE, DFDs)
• Ability to conduct risk and vulnerability assessments and articulate business impact
• Solid grasp of regulatory and compliance requirements: PCI-DSS, GLBA, GDPR, etc.
• Hands-on experience with leading security tools: Snyk, Blackduck, Checkmarx, Fortify, Veracode, GitHub Advanced Security, OWASP ZAP, Burp Suite, etc.
• Knowledge of secure CI/CD integration (e.g., GitHub Actions, GitLab CI, Azure DevOps, Jenkins)
• Proficient in securing APIs, including authentication/authorization models (OAuth, OIDC, JWT)
• Familiarity with secure cloud-native development (AWS, Azure, GCP)
• Experience with container security (Docker, Kubernetes) and runtime protection mechanisms
• Ability to assess Infrastructure-as-Code (IaC) for security issues (e.g., Terraform, CloudFormation)
• Understanding of identity and access management concepts (RBAC, ABAC, MFA, Entra ID, Okta)
• Strong communication skills with ability to explain security risks to technical and non-technical stakeholders
• Experience mentoring development teams and promoting secure coding practices
• Ability to lead or support a Security Champion program
• Strong analytical and troubleshooting skills to investigate and solve complex security issues
• Proficient in project/task management, capable of handling multiple security engagements simultaneously with limited management supervision
• Skilled in producing clear and actionable security reports, threat models, and risk documentation

EXPERIENCE

Outlined below are the academic qualifications and length and type of experience deemed necessary by Unique Vacations Inc. to perform the role of Senior Cyber Security Engineer – Application Security competently.

Education: Four-year degree in a relevant field preferred.

Experience:5 or more years’ experience

Certifications (1 or more): OSWE – Offensive Security Web Expert, GWAPT, GWEB, or GPEN – GIAC Web App & Pen Testing certifications, CSSLP – Certified Secure Software Lifecycle Professional, CISSP, CISM, or CEH – Broad security leadership or ethical hacking, and/or AWS/Azure/GCP Security Specialty – For roles with cloud-native application exposure.

WORKING CONDITIONS

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

The noise level in the work environment is usually moderate.

International travel requirement is 20% or more if needed.

Remote 1 day a week (4 months after start date).