Jobs · Information Technology · Indiana

Sr. Principal Security Engineer, Application Security Strategy & Architecture

BioSpace · Indianapolis, IN · Yesterday
Information Technology$126k–$224k/yrFull-time

About the role

Lilly is seeking a Senior Principal Security Engineer to lead the Security Architecture & Engineering (SAE) organization's Application Security program. This role requires a deep understanding of security architecture, tool evaluation, and enterprise transformation.

Responsibilities

  • Define and maintain the architectural direction for Lilly’s Secure SDLC program, including SAST, DAST, SCA, secrets management, and software supply chain capabilities.
  • Partner with the Director of Application Security to identify and communicate program-level execution risks and dependencies.
  • Translate regulatory, compliance, and audit requirements into security architecture that engineering teams can implement and sustain.
  • Lead structured evaluations of security tooling across SAST, DAST, SCA, penetration testing, and AI-augmented security platforms.
  • Define evaluation criteria, design proof-of-concept engagements, assess vendor capabilities against Lilly’s environment and scale, and produce recommendation packages for leadership decision-making.
  • Maintain awareness of the AppSec tooling landscape and advise on emerging capabilities—including AI-driven security tools—that warrant evaluation or adoption.
  • Partner with procurement, legal, and engineering collaborators to support vendor selection and contract alignment.
  • Serve as the AppSec architecture lead for platform transformations, owning security architecture decisions and ensuring AppSec requirements are represented.
  • Assess and document the security impact of the migration on existing AppSec controls—identifying gaps in SAST, secrets scanning, and CI/CD security coverage that the migration creates and defining the remediation path.
  • Partner with engineering and platform teams to ensure security requirements are embedded into migration sequencing and cutover planning—not addressed after the fact.
  • Define security readiness criteria for each phase of the transformation and serve as the AppSec authority on go/no-go decisions at key transition points.
  • Provide senior technical guidance to AppSec engineers on complex implementation challenges, architecture decisions, and remediation approaches.
  • Support threat modeling engagements for major product initiatives and platform changes across Lilly’s development ecosystem.
  • Contribute to Lilly’s Secure SDLC standards and vulnerability management policy, ensuring policy is grounded in architectural reality and can be implemented through platform and pipeline controls.

Qualifications

  • Bachelor’s Degree in Computer Science, Information Security, Software Engineering, or a related field.
  • At least 5 years of experience in application security, security architecture, or a closely related discipline.
  • Demonstrated experience leading or architecting a large-scale security, identity, or platform migration in an enterprise environment.
  • Hands-on experience with GitHub enterprise environments, including GitHub Actions, CI/CD security controls, and identity and access management patterns.
  • Experience evaluating and selecting enterprise security tooling, including SAST, DAST, or SCA platforms.
  • Familiarity with threat modeling methodologies and application security fundamentals (OWASP Top 10, CWE, secure coding practices).

Preferred Qualifications

  • Deep familiarity with GitHub’s identity and access model, including experience with or strong understanding of GitHub Enterprise Managed Users (EMU), SAML/OIDC federation, PAT governance, and GitHub Actions security controls.
  • Experience assessing the security implications of platform migrations—understanding what breaks, what coverage gaps are created, and how to sequence remediation.
  • Strong expertise in application security fundamentals—OWASP Top 10, CWE, secure coding practices, threat modeling, and vulnerability management.
  • Working knowledge of AppSec tooling ecosystems: SAST (Checkmarx or equivalent), DAST, SCA, and secrets scanning platforms.
  • Ability to communicate optimally to produce architectural documentation and present risk and recommendation to senior leadership.
  • Familiarity with secrets management platforms and software supply chain security patterns.
  • Awareness of AI-augmented security tooling and the ability to evaluate where AI meaningfully improves AppSec workflows versus where it introduces risk.
  • Working knowledge of cloud environments (AWS preferred) and containerized workloads in the context of security architecture.
  • Ability to operate as a senior individual contributor—providing architectural leadership and program-level judgment without requiring direct management authority to drive outcomes.

Similar jobs