Lead DevSecOps / Application Security Lead

About the Role

We are looking for an experienced Lead DevSecOps / Application Security professional to drive secure software development practices, strengthen application security posture, and lead security initiatives across modern cloud-native environments. This role combines hands-on technical leadership with strategic ownership of security processes, risk management, and compliance initiatives.

Responsibilities

• Lead and mentor a team of security professionals, fostering a strong security culture across engineering and operational teams.
• Build, enhance, and continuously refine security systems, processes, and governance frameworks.
• Drive the implementation of technical, operational, people, and audit controls to mitigate organizational risk.
• Manage security initiatives, prioritize activities based on business impact and risk exposure, and define measurable objectives.
• Develop, maintain, and evolve the organization's cybersecurity strategy.
• Oversee the implementation and enforcement of security policies, standards, and guidelines.
• Partner closely with engineering teams to integrate security throughout the Software Development Lifecycle (SSDLC) and promote shift-left security practices.
• Conduct threat modeling, security design reviews, vulnerability assessments, and remediation planning.
• Establish and improve vulnerability management processes, ensuring timely identification and resolution of security issues.
• Ensure compliance with applicable regulatory and industry frameworks, including PCI, SOX, and security controls aligned with ISO and ITIL practices.
• Guide the development, testing, and maintenance of incident response and disaster recovery plans.
• Monitor emerging security threats, trends, and technologies, applying relevant improvements to security controls and processes.
• Support secure cloud-native delivery practices, including containerized environments, Infrastructure as Code (IaC), CI/CD pipelines, and software supply chain security.

Requirements (Must-Have)

• 8+ years of hands-on experience in Application Security, Product Security, DevSecOps, or related security engineering roles.
• Proven experience collaborating directly with software engineering teams to improve application security posture.
• Strong practical experience with AppSec tooling, including:
  • SAST (Static Application Security Testing)
  • SCA (Software Composition Analysis)
  • Code scanning solutions
  • GitHub and GitHub Advanced Security
  • SonarQube
  • Dependabot
  • CI/CD security integrations
• Ability to review source code, assess real-world risk, and drive practical, business-oriented remediation efforts.
• Strong understanding of SSDLC and shift-left security methodologies.
• Experience conducting threat modeling, security architecture reviews, and vulnerability management activities.
• Deep knowledge of application and API security, including:
  • Authentication and Authorization (AuthN/AuthZ)
  • Secrets management
  • Dependency and third-party risk management
  • Injection vulnerabilities
  • Data protection principles
• Experience with cloud-native development and delivery environments, including containers, Infrastructure as Code, Git-based workflows, automation, and technical documentation.
• Strong communication and stakeholder management skills, with the ability to influence technical and business audiences.

Nice to Have

• Experience with Infrastructure as Code (IaC) security scanning.
• Container and container image security expertise.
• Software supply chain security experience.
• Advanced secrets management knowledge.
• AWS cloud security experience.
• Experience working within regulated, compliance-driven, audit-sensitive, or business-critical environments.
• Familiarity with PCI DSS, SOX, ISO 27001, ITIL, and related governance frameworks.

What AppRecode offers

• 20 days of paid annual leave plus public holidays.
• 5 paid sick days per year.
• Remote-first work environment.
• Friendly and supportive team culture.
• Personal development plans and access to experienced mentors and technical leaders.
• Reimbursement for sports activities and professional certifications (after probation).
• Ongoing learning opportunities: internal trainings and knowledge-sharing sessions.
• Free English classes if you want to further improve your communication skills.