Security Engineer — Application Security & Identity
Function: Information Security.Reports to: Head of Security
Role Summary
Owns application security across multiple environments, each with increasing control and compliance requirements. Acts as reviewer for the least complex environments and co‑reviewer for higher complexity and controlled environments. Defines and enforces security controls across AWS hosted workloads and GitHub based development pipelines while maintaining independent review authority.
Applications originate as AI-assisted prototypes and require structured security validation before enterprise production deployment.
This is a hybrid role, based in any of our US offices—including New York City, Boston, Chicago, Carmel, or San Francisco—or remotely within the US, depending on team and business needs.
Key Responsibilities
- Conduct security reviews of internally developed applications including:
- Data flow validation
- Security control design and implementation
- Secrets handling
- AI/LLM Data Loss Prevention (DLP)
- Co‑lead production readiness reviews for strictly governed environments:
- Threat modeling
- Hardening validation
- Compliance mapping (SOC 2 and contractual and regulatory requirements)
- Define and enforce identity architecture:
- Corporate identity: Entra ID
- Workload identity: AWS IAM and GitHub OIDC
- Define and manage GitHub native security controls:
- GitHub Advanced Security (CodeQL / SAST)
- Dependabot (dependency scanning)
- Secret scanning
- Branch protection and environment controls
- Establish standards for security tooling:
- SAST (CodeQL, Semgrep)
- SCA (Dependabot, Snyk)
- Container scanning (Trivy, ECR scanning)
- Infrastructure as Code (IaC) policy (OPA, Sentinel, tfsec)
- Define AWS security standards:
- IAM design and least‑privilege access
- Logging and audit requirements
- Secrets management and rotation
- Scope and coordinate third‑party penetration testing
- Maintain audit logging maturity per environment requirements:
- Baseline logging
- User‑level activity tracking
- Tamper‑evident audit trails with SIEM integration
- Perform initial triage and risk classification within time requirements for critical issues identified in intake (data exposure, credentials, regulatory risk).
- Partner with DevOps Engineering to ensure security policies are implemented in pipelines and infrastructure.
AI Security & Usage Governance
- Define approved AI providers and usage boundaries
- Establish prompt data classification and handling policies
- Enforce human‑in‑the‑loop requirements where appropriate
- Define cost/spend guardrails for AI services
Required Qualifications
- 5+ years (or 3–5+ in high‑growth environments) in cloud security, 2 of which focused on application security
- Hands‑on security experience with:
- AWS IAM
- SAML / OIDC federation
- GitHub security tooling
- Experience with threat modeling and coordinating penetration testing
- Familiarity with SOC 2, GDPR, and HIPAA‑adjacent controls
- In‑depth understanding of the risk lifecycle
Preferred Qualifications
- Experience securing GitHub‑based CI/CD pipelines
- Experience in AWS native environments
- Exposure to regulated industries (GxP, 21 CFR Part 11)
- Security certifications (CISSP, CCSP, OSCP, GIAC, etc.)
- Associate’s degree or higher
- Experience bringing low‑code or AI‑generated applications under enterprise security controls
Pay Range: $60,000‑$80,000
Real Chemistry is an Equal Opportunity employer. We encourage motivated and qualified applicants to apply without regard to race, color, religion, sex (including pregnancy), sexual orientation, gender identity/expression, ethnic or national origin, age, physical or mental disability, genetic information, marital information, or any other characteristic protected by federal, state, or local employment discrimination laws where Real Chemistry operates.
#J-18808-Ljbffr…
