Sr. Principal Security Engineer, Application Security Strategy & Architecture
BioSpace · Indianapolis, IN · Yesterday
Information Technology$126k–$224k/yrFull-time
About the role
Lilly is seeking a Senior Principal Security Engineer to lead the Security Architecture & Engineering (SAE) organization's Application Security program. This role requires a deep understanding of security architecture, tool evaluation, and enterprise transformation.
Responsibilities
- Define and maintain the architectural direction for Lilly’s Secure SDLC program, including SAST, DAST, SCA, secrets management, and software supply chain capabilities.
- Partner with the Director of Application Security to identify and communicate program-level execution risks and dependencies.
- Translate regulatory, compliance, and audit requirements into security architecture that engineering teams can implement and sustain.
- Lead structured evaluations of security tooling across SAST, DAST, SCA, penetration testing, and AI-augmented security platforms.
- Define evaluation criteria, design proof-of-concept engagements, assess vendor capabilities against Lilly’s environment and scale, and produce recommendation packages for leadership decision-making.
- Maintain awareness of the AppSec tooling landscape and advise on emerging capabilities—including AI-driven security tools—that warrant evaluation or adoption.
- Partner with procurement, legal, and engineering collaborators to support vendor selection and contract alignment.
- Serve as the AppSec architecture lead for platform transformations, owning security architecture decisions and ensuring AppSec requirements are represented.
- Assess and document the security impact of the migration on existing AppSec controls—identifying gaps in SAST, secrets scanning, and CI/CD security coverage that the migration creates and defining the remediation path.
- Partner with engineering and platform teams to ensure security requirements are embedded into migration sequencing and cutover planning—not addressed after the fact.
- Define security readiness criteria for each phase of the transformation and serve as the AppSec authority on go/no-go decisions at key transition points.
- Provide senior technical guidance to AppSec engineers on complex implementation challenges, architecture decisions, and remediation approaches.
- Support threat modeling engagements for major product initiatives and platform changes across Lilly’s development ecosystem.
- Contribute to Lilly’s Secure SDLC standards and vulnerability management policy, ensuring policy is grounded in architectural reality and can be implemented through platform and pipeline controls.
Qualifications
- Bachelor’s Degree in Computer Science, Information Security, Software Engineering, or a related field.
- At least 5 years of experience in application security, security architecture, or a closely related discipline.
- Demonstrated experience leading or architecting a large-scale security, identity, or platform migration in an enterprise environment.
- Hands-on experience with GitHub enterprise environments, including GitHub Actions, CI/CD security controls, and identity and access management patterns.
- Experience evaluating and selecting enterprise security tooling, including SAST, DAST, or SCA platforms.
- Familiarity with threat modeling methodologies and application security fundamentals (OWASP Top 10, CWE, secure coding practices).
Preferred Qualifications
- Deep familiarity with GitHub’s identity and access model, including experience with or strong understanding of GitHub Enterprise Managed Users (EMU), SAML/OIDC federation, PAT governance, and GitHub Actions security controls.
- Experience assessing the security implications of platform migrations—understanding what breaks, what coverage gaps are created, and how to sequence remediation.
- Strong expertise in application security fundamentals—OWASP Top 10, CWE, secure coding practices, threat modeling, and vulnerability management.
- Working knowledge of AppSec tooling ecosystems: SAST (Checkmarx or equivalent), DAST, SCA, and secrets scanning platforms.
- Ability to communicate optimally to produce architectural documentation and present risk and recommendation to senior leadership.
- Familiarity with secrets management platforms and software supply chain security patterns.
- Awareness of AI-augmented security tooling and the ability to evaluate where AI meaningfully improves AppSec workflows versus where it introduces risk.
- Working knowledge of cloud environments (AWS preferred) and containerized workloads in the context of security architecture.
- Ability to operate as a senior individual contributor—providing architectural leadership and program-level judgment without requiring direct management authority to drive outcomes.