The Application Security (AppSec) team at Lumin Digital is responsible for guiding and supporting a secure software development lifecycle across all products and internal applications developed within the company.  This team is responsible for helping code authors across the entire organization build security into our technology from early conceptualization and design phases, not bolt it on as an afterthought or check-the-box activity.   This role leads the AppSec function by driving strategic improvements in application security, coordinating with teams across the company, and promoting a shared understanding that code quality includes security. The role requires strong technical leadership and collaboration to ensure our application security posture continuously evolves and strengthens over time.

Identify emerging industry threats, observed trends, and industry best practices guidelines to identify gaps and identify, plan, design, and enhance our application security posture in collaboration across Lumin Digital

Develop, collect, and summarize meaningful measures of application security to evaluate program performance

Collaborate with other leaders to understand vulnerabilities and to develop mitigation strategies that address current findings and reduce the likelihood of future occurrence of the same classes of issues

Ensure integration of security tooling into CI/CD pipelines with minimal developer friction

Review the technical methods and output of the AppSec team to ascertain the quality and fit of activities such as thread modeling, secure design reviews, and architectural risk assessments, and provide constructive and detailed feedback to improve team members’ ability to perform their duties

Lead improvements in secure coding standards, developer training, and evaluation of assessment tools

Review client-sponsored application assessments to qualify and prepare responses

Perform other duties as assigned

Set clear expectations, offer direction, and ensure alignment with organizational goals while fostering a supportive environment that encourages collaboration, accountability, and growth.

Coach, mentor, and provide training opportunities to build team members’ skills, promote internal growth, and prepare staff for future roles and responsibilities.

Manage hiring, onboarding, performance evaluations, promotions, compensation, and terminations, ensuring fair and consistent application of policies and procedures.

Assess team performance regularly, address gaps, and ensure duties are completed efficiently and effectively in alignment with department and organizational objectives.

Bachelor's degree in Computer Science, Information Assurance, Information Security, Cybersecurity, or related field is required; or equivalent combination of education and experience in cybersecurity with demonstrated command of key application security concepts and technologies and proficiencies in threat modeling, detective and preventative controls, application security testing, and other relevant technical security risk management domains.

Certifications relevant to application security or management of application security teams, such as the GWEB, GWAPT, CSSLP, or CISM, are preferred.

5 years of hands-on technical experience directly working with detective security controls, including web application firewalls, TLS introspecting proxies, tools integrated into CI/CD pipelines, including SCA, SAST, DAST, and MAST required.

3 years of experience leading complex security initiatives or driving secure application design practices within a team or organization required. This may include project leadership, technical mentorship, or ownership of code security or quality programs, ideally within financial institutions or fintech companies..

Experience with large-scale AWS operating environments, Linux, Kubernetes, Git, and scripting languages required.

Experience with administering public or private bug bounty programs required.

Experience analyzing and summarizing trends in application-layer threats, vulnerabilities, and posture to internal management teams is required.  Applicants are invited to provide an example or excerpt of a report or presentation they solely developed, with any confidential information redacted, in their cover letter that illustrates this experience and skill.

Excellent teamwork skills, including the ability to develop long-term partnerships for continual improvement in established technology platforms with mature product lifecycle management processes

Excellent data analysis skills, including using tools like Excel or Google Sheets, to customize and report on key metrics specifically useful for the company and relevant to the current threat environment and organizational needs of the company

Strong written and verbal communication skills, including the ability to develop clear, data-driven reports and presentations using Google Docs, Slides, or R

Strong presentation delivery skills, including the ability to speak confidently to underlying data and data-driven insights to internal technical and management teams, and, as needed, to clients’ technical or management teams

Ability to read, comprehend, and contextualize technical details contained in vulnerability assessments and penetration testing reports accurately

Ability to respectfully challenge norms and appropriately question assumptions and approaches to uncover and critically evaluate operational blind spots or procedural weaknesses

Expert knowledge of application security concepts as it relates to detecting anomalous and threatening HTTPS and WebSocket activity, including those covered by the OWASP Top 10 and the Common Weakness Enumeration

Strong knowledge of cloud security, particularly in AWS (e.g., IAM, Cognito, Inspector, KMS, Lambda, S3) and the AWS shared responsibility model

Strong knowledge of vulnerability prioritization methods, including through the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS)

Strong knowledge of financial regulations that influence application security designs, including PCI DSS

Calm and serious attitude, technical aptitude, appropriate sense of urgency, and communication skills to effectively coordinate with internal team members to remediate vulnerabilities and reduce security risks

Must have strong client orientation and demonstrate professional demeanor that earns the trust and respect of individuals inside and outside Lumin Digital

Ability to prioritize tasks, exercise sound judgment, and maintain confidentiality with sensitive information

Ability to work remotely while maintaining a high level of productivity and effectiveness, managing a highly performing team with limited or no supervision

Minimal, generally 12 days or less per year

$175,000 - $194,998 a year