Lead Application Security Engineer
Carters Inc. · Atlanta, GA · 1 wk ago
Information TechnologyFull-time
Key Responsibilities
- Application security, architecture & standards (25%)
- Defining and owning the enterprise application security architecture, standards, and secure-by-default patterns
- Evaluating vendors and driving adoption of AppSec tooling across engineering teams
- Serving as the final technical authority on AppSec decisions
- Conducting and directing advanced secure code reviews, SAST/DAST assessments, and manual penetration testing
- Owning API security standards and driving vulnerability triage, risk prioritization, and remediation accountability
- Secure code review, API security & advanced testing (25%)
- Conducting and directing advanced secure code reviews, SAST/DAST assessments, and manual penetration testing
- Owning API security standards including REST and GraphQL, enforcing OWASP API Top 10 controls and authentication/authorization design patterns
- Driving vulnerability triage, risk prioritization, and remediation accountability across development teams at scale
- DevSecOps engineering & platform ownership (20%)
- Owning the DevSecOps toolchain: designing, deploying, and maturing security gates within CI/CD pipelines
- Embedding security into system design, SDLC processes, and platform decisions
- Demonstrating program maturity and risk reduction through continuous improvement of AppSec metrics, dashboards, and KPIs
- Ai security – build, secure & govern (20%)
- Building and deploying AI-powered security tooling and automation
- Assessing and governing risks associated with AI/ML integrations and connectors
- Developing and enforcing AI governance policies
- Risk governance, compliance & cross-functional leadership (10%)
- Representing the IT Security team in architecture reviews, cross-functional planning, and executive risk reporting
- Leading AppSec representation in PCI-DSS, NIST, and OWASP compliance audits and evidence collection
Requirements
- Must Have:
- 5+ years of application security, software engineering, or secure code review experience
- Strong proficiency in one or more languages (e.g., Python, Java, JavaScript, Go) with ability to perform in-depth code review and threat modeling
- Experience with SAST/DAST tooling (e.g., Snyk, SonarQube, Semgrep, Checkmarx, Burp Suite, OWASP ZAP)
- Proven communication and presentation skill set abilities with multilevel stakeholders
- Ability to meet deadlines and work with management across various disciplines
- Proven collaborative experience with cross functional teams
- Ability to perform on-call duties during off-hours and holidays
- An adaptable and flexible attitude towards changing business needs
- Preferred Skills And Experience:
- Bachelor’s degree in computer science or related field
- Experience leading or conducting red team, penetration testing, or adversarial simulation exercises
- Working knowledge of PCI-DSS, NIST, OWASP, and other regulatory frameworks; experience representing security in audit and compliance reviews
- Experience securing cloud-native or hybrid-cloud application environments (AWS, Azure, or GCP)
- Hands-on experience building, deploying, or integrating AI/ML-powered tools, combined with the ability to assess and govern their security posture
- Proven ability to define and enforce security standards across engineering organizations; prior experience owning a security capability or domain
- Security+, ISC2 CC, CompTIA A+, CompTIA Network+, SSCP, CCT, GWEB, CSSLP, CEH, or OSCP certifications