Lead Application Security Engineer - 19562 at Cox Automotive

The Lead Application Security Engineer will partner withSecurity Engineering Enablement and Security Architecture to designand ship secure software: secure code reviews and help definerequirements on prerelease control validation (SAST/DAST/SCA, APIsecurity, Container/IaC scans). Drive fix-first coaching-turnfindings into clear remediation guidance and code examples, to helpteams remediate security findings.

The team isthe Center of Excellence (COE) for Application Security, WebApplication Firewalls and Cloud Security. In this capacity, theLead AppSec Engineer can provide advice and guidance to teams inthese areas to support the established standards and policies, inthe form of Office Hours, Brown Bags or team consultationsessions.

PrimaryResponsibilities:

• Operate,administer, and continuously improve our off the shelf AppSec andCloudSec tools (WAF infrastructure management, user onboarding,policy/config, integrations).
• Triage anddisposition vulnerabilities across SAST/DAST/SCA/API/IaC/CSPMsources; lead false positive reviews and suppression/exceptionworkflows with strong audit trails.
• Partnerwith Cloud Platform teams to harden AWS/Azure/GCP environmentsusing CSPM/CNAPP controls, guardrails, and baselines; guide securepatterns for serverless, containers/Kubernetes, and secretsmanagement.
• Support system administration,configuration, and maintenance for the AppSec/CloudSec/WAF toolset(identity/roles, agent health, connectors, backups, upgrades, andDR testing).
• Evaluate security tools on anongoing basis, to ensure we are leveraging the best toolset thatmeets the enterprise's needs
• Serve asfirst-line triage for Responsible Disclosure submissions, reproduceissues, determine severity/impact, assign owners/SLAs, and track toclosure.
• Ensure consistent communications withResponsible Disclosure reporters and internal stakeholders andmaintain accurate records for compliance.
• Usescripting/automation (Python, PowerShell, Bash, REST APIs,Terraform modules, GitHub Actions/Azure DevOps/GitLab CI) for adhoc fixes and to reduce toil (bulk policy changes, projectprovisioning, baseline exceptions, reportconsolidation).
• Stakeholder for helping designSecure Pipelines to be implemented by the Security EngineeringEnablementteam

MinimumQualifications:

• Bachelor'sdegree in a related discipline and 6 years' experience in a relatedfield. The right candidate could also have a different combination,such as a master's degree and 4 years' experience; a Ph.D. and 1year of experience; or 18 years' experience in a relatedfield
• 2 years in Application / Product securityor software engineering with a strong securityfocus.
• Hands on depth with modernSDLC/DevSecOps in cloud-native environments: microservices, APIs,containers/Kubernetes, serverless, IaC(Terraform/CloudFormation/ARM/Bicep), and CI/CDintegration.
• Practical expertise operating andtuning SAST, DAST, SCA, API testing, IaC/container scanners, plusCNAPP for multi cloud.
• Scripting/automationproficiency (Python preferred; PowerShell/Bash nice) and REST APIintegration skills; able to create quick utilities and pipelinejobs to reduce manual effort.
• Strong knowledgeof OWASP Top 10, ASVS, SAMM, NIST SSDF, CSA CCM, secure designpatterns, cryptography fundamentals, authN/Z (OAuth2/OIDC/JWT), andcommon web/API vulns andmitigations.
• Experience triaging responsibledisclosure or bug bounty reports and driving coordinatedremediation with product teams.
• Excellentcommunicator who can simplify complex risk for engineers andleaders; bias to action and measurableoutcomes.
• Familiarity with software supplychain security (SBOMs, signing, provenance, dependency risk) andruntime protection (RASP, WAF/WL, EDR forcontainers).
• Strong understanding of cloudarchitecture and infrastructure
• Collaboratewith AI agents to build, test, and deploy software across the SDLC,by using proper contextual inputs to improve AI understanding andoutput quality.
• Implement AI-powered featuresand pipelines in our software
• Contribute toprompt engineering experimentation and share tool usageinsights.
• Define coding standards, reviewpractices, and ethical guidelines for AIuse.
• Mentor peers and coach junior team memberson AI-augmented development.
• Applicants mustcurrently be authorized to work in the United States for anyemployer without current or future sponsorship. No OPT, CPT,STEM/OPT or visa sponsorship now or infuture.

Preferredskills:

• WAFengineering experience (policy design, tuning, false positivemanagement, bot/rate limit controls, logging/observability,blue/green rollout).
• Certifications (e.g.,CISSP, CSSLP, GWAPT, GCSA, GCP/AWS/Azure security) are aplus.
• Experience with API security (OWASP APITop 10), Proactive Threat Response, Responsible Disclosureworkflows is a plus.

USD119,600.00 - 199,400.00 peryear

Compensation:

Compensationincludes a base salary of $119,600.00 - $199,400.00. The basesalary may vary within the anticipated base pay range based onfactors such as the ultimate location of the position and theselected candidate's knowledge, skills, and abilities. Position maybe eligible for additional compensation that may include anincentiveprogram.

Benefits:

TheCompany offers eligible employees the flexibility to take as muchvacation with pay as they deem consistent with their duties, thecompany's needs, and its obligations; seven paid holidaysthroughout the calendar year; and up to 160 hours of paid wellnessannually for their own wellness or that of family members.Employees are also eligible for additional paid time off in theform of bereavement leave, time off to vote, jury duty leave,volunteer time off, military leave, and parental leave.