Application Security Team Lead

Responsibilities

• Lead and mentor the Application Security team, setting priorities, conducting code reviews, and fostering a security-first engineering culture across the organization.

• Own the Secure Software Development Lifecycle (SSDLC), embedding security gates—threat modeling, static/dynamic analysis, dependency scanning—into the CI/CD pipeline for the company's product.

• Drive vulnerability management end-to-end, from triage and risk-scoring of findings (SAST, DAST, pen tests, bug bounties) through to coordinating remediation timelines with development teams.

• Define and maintain application security standards, policies, and guidelines aligned with financial-industry regulations (e.g., PCI DSS, SOC 2, GDPR) and ensure the product stays compliant.

• Partner with Product, Engineering, and DevOps leadership to assess security risk of new features and architectural changes, providing pragmatic guidance that balances speed-to-market with risk tolerance.

• Plan and oversee regular penetration testing and red-team exercises on the company's product, translating results into actionable roadmap items and reporting risk posture to senior management.

Requirements

• 10+ years of hands-on application security experience, with at least 4 years in a lead or senior role managing a team of security engineers.

• Deep expertise in secure coding practices and common vulnerability classes (OWASP Top 10, CWE/SANS Top 25) across modern tech stacks (e.g., Java, Python, .NET, JavaScript/TypeScript).

• E/SANS Top 25) across modern tech stacks (e.g., Java, Python, .NET, JavaScript/TypeScript).Strong experience with SAST, DAST, SCA, and IAST tools (e.g., Checkmarx, SonarQube, Burp Suite, Snyk, Semgrep) and integrating them into CI/CD pipelines.

• Solid understanding of cloud security (AWS, Azure, or GCP), container security (Docker, Kubernetes), and infrastructure-as-code scanning.

• Experience with threat modeling methodologies (STRIDE, PASTA, Attack Trees) and ability to lead threat modeling sessions with engineering teams.

• Working knowledge of financial-industry compliance frameworks — PCI DSS, SOC 2, GDPR, or similar regulatory requirements relevant to fintech/financial services.

• Proven ability to communicate security risks to both technical and non-technical stakeholders, including C-level executives, translating findings into business impact.

Nice-to-Have:

• Relevant certifications — CSSLP, OSCP, OSWE, GWAPT, CEH, or CISSP.

• Experience running or managing bug bounty programs.

• Background in penetration testing or red teaming, especially against financial applications.

• Experience with API security (OAuth 2.0, OpenID Connect, REST/GraphQL hardening).

• Familiarity with DevSecOps culture and building security champions programs within engineering organizations.

• Contribution to open-source security tools or active participation in the AppSec community (OWASP chapters, conference talks, published research).