Principal Application Security Engineer
Role Overview
Cboe’s Cybersecurity team is seeking a Principal Application Security Engineer to provide senior technical leadership and end-to-end ownership for embedding pragmatic, scalable security across our hybrid engineering ecosystem.
Your responsibilities will be:
- Application & API Security
- Own secure architecture reviews and threat modeling for new systems and major changes, establishing architectural direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
- Define, mature, and drive adoption of application and API security standards, including authentication and authorization patterns, input validation requirements, and mitigations for common vulnerability classes such as SSRF, injection, and access control flaws
- Provide principal-level guidance for high-risk code and design changes, resolving complex security tradeoffs and driving remediation approaches that are durable, scalable, and aligned to engineering realities
- Act as a senior technical partner to engineering leadership, influencing roadmaps, architecture decisions, and secure-by-default design patterns across the organization
- Kubernetes, Container & DevSecOps Security
- Own Kubernetes workload security standards across multi-cluster environments, setting technical direction for RBAC, pod security controls, namespace isolation, network policies, secrets management, and platform guardrails
- Establish and continuously evolve the container image security strategy, including secure base image standards, vulnerability management expectations, SBOM practices, and deployment controls that prevent risky configurations from reaching production
- Drive the design and adoption of DevSecOps guardrails in CI/CD pipelines, ensuring SAST, SCA, secret scanning, container scanning, and IaC scanning are integrated through high-signal workflows that scale across engineering teams with minimal developer friction
- Software Vulnerability Management & Security
- Own the strategy for risk-based software vulnerability management, including triage, exploitability assessment, remediation priorities, service level expectations, and metrics that demonstrate measurable reduction in security risk over time
- Develop and champion secure coding guidance, reusable security patterns, and enablement programs that raise engineering capability and create lasting improvements in how teams design and build software
- Lead security design support during incident response and post-incident follow-through, translating lessons learned into durable architectural, control, and guardrail improvements that prevent recurrence
- AI Implementation Security
- Own the secure adoption of AI-enabled development and security capabilities, establishing patterns and guardrails for secure code review, automated assessments, and process improvements throughout the SDLC
- Provide principal-level architecture and risk guidance for AI implementations and integrations, shaping secure design decisions, control expectations, and review practices for emerging use cases
- Drive governance and technical controls to define, monitor, and enforce data boundaries, permissions, and approved usage patterns for AI-related data access
Requirements
Experience directly writing and delivering production software as a software engineer
Bachelor's degree in Computer Science, Information Security, or related field preferred
Relevant certifications preferred (e.g., CSSLP, CKS, OSCP, AWS/Azure Security Specialty)
Proven ability to read, write, and review production-grade code in at least one modern backend language (e.g., C++, Go, Java, C#, Python, Node.js), with the judgment to guide secure engineering decisions in high-impact systems
Strong working knowledge of Kubernetes security primitives (RBAC, namespaces, service accounts, pod security) and container build practices
Hands-on experience integrating DevSecOps tooling (SAST, SCA, secret scanning, IaC/container scanning) into CI/CD pipelines
Experience securing hybrid environments with workloads running in both public cloud (EKS, AKS, GKE) and on-prem Kubernetes platforms
Exceptional communication, influence, and technical leadership skills, with a demonstrated ability to drive alignment, establish direction, and own outcomes across engineering, platform, and security stakeholders
Qualifications
12+ years of experience in application security, product security, or software engineering, including significant experience shaping architecture, setting standards, and driving security outcomes across complex production environments
Skills
Deep hands-on expertise, strong systems thinking, and the ability to influence engineering practices, standards, and priorities at scale
Ability to make high-impact architectural decisions and drive consistent security outcomes across multiple teams and platforms
Ability to resolve complex security tradeoffs and drive remediation approaches that are durable, scalable, and aligned to engineering realities
Ability to influence roadmaps, architecture decisions, and secure-by-default design patterns across the organization
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to act as a senior technical partner to engineering leadership, influencing roadmaps, architecture decisions, and secure-by-default design patterns across the organization
Ability to provide principal-level guidance for high-risk code and design changes, resolving complex security tradeoffs and driving remediation approaches that are durable, scalable, and aligned to engineering realities
Ability to act as a senior technical partner to engineering leadership, influencing roadmaps, architecture decisions, and secure-by-default design patterns across the organization
Ability to provide principal-level guidance for high-risk code and design changes, resolving complex security tradeoffs and driving remediation approaches that are durable, scalable, and aligned to engineering realities
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple teams and platforms
Ability to establish direction in complex or ambiguous situations and set technical direction for Kubernetes trust boundaries, secure service-to-service communication, and API authorization models across the environment
Ability to drive consistent security outcomes across multiple