Manager, Application Security
Remote- United States
ERM – Security /
Full Time /
Remote
Basic Function
The Application Security (AppSec) team at Lumin Digital is responsible for guiding and supporting a secure software development lifecycle across all products and internal applications developed within the company. This team is responsible for helping code authors across the entire organization build security into our technology from early conceptualization and design phases, not bolt it on as an afterthought or check-the-box activity. This role leads the AppSec function by driving strategic improvements in application security, coordinating with teams across the company, and promoting a shared understanding that code quality includes security. The role requires strong technical leadership and collaboration to ensure our application security posture continuously evolves and strengthens over time.
Essential Functions and Responsibilities:
Identify emerging industry threats, observed trends, and industry best practices guidelines to identify gaps and identify, plan, design, and enhance our application security posture in collaboration across Lumin Digital
Develop, collect, and summarize meaningful measures of application security to evaluate program performance
Collaborate with other leaders to understand vulnerabilities and to develop mitigation strategies that address current findings and reduce the likelihood of future occurrence of the same classes of issues
Ensure integration of security tooling into CI/CD pipelines with minimal developer friction
Review the technical methods and output of the AppSec team to ascertain the quality and fit of activities such as thread modeling, secure design reviews, and architectural risk assessments, and provide constructive and detailed feedback to improve team members’ ability to perform their duties
Lead improvements in secure coding standards, developer training, and evaluation of assessment tools
Review client-sponsored application assessments to qualify and prepare responses
Perform other duties as assigned
Supervisory Responsibility:
Set clear expectations, offer direction, and ensure alignment with organizational goals while fostering a supportive environment that encourages collaboration, accountability, and growth.
Coach, mentor, and provide training opportunities to build team members’ skills, promote internal growth, and prepare staff for future roles and responsibilities.
Manage hiring, onboarding, performance evaluations, promotions, compensation, and terminations, ensuring fair and consistent application of policies and procedures.
Assess team performance regularly, address gaps, and ensure duties are completed efficiently and effectively in alignment with department and organizational objectives.
Position Specifications
Education:
Bachelor's degree in Computer Science, Information Assurance, Information Security, Cybersecurity, or related field is required; or equivalent combination of education and experience in cybersecurity with demonstrated command of key application security concepts and technologies and proficiencies in threat modeling, detective and preventative controls, application security testing, and other relevant technical security risk management domains.
Certifications relevant to application security or management of application security teams, such as the GWEB, GWAPT, CSSLP, or CISM, are preferred.
Experience:
5 years of hands-on technical experience directly working with detective security controls, including web application firewalls, TLS introspecting proxies, tools integrated into CI/CD pipelines, including SCA, SAST, DAST, and MAST required.
3 years of experience leading complex security initiatives or driving secure application design practices within a team or organization required. This may include project leadership, technical mentorship, or ownership of code security or quality programs, ideally within financial institutions or fintech companies..
Experience with large-scale AWS operating environments, Linux, Kubernetes, Git, and scripting languages required.
Experience with administering public or private bug bounty programs required.
Experience analyzing and summarizing trends in application-layer threats, vulnerabilities, and posture to internal management teams is required. Applicants are invited to provide an example or excerpt of a report or presentation they solely developed, with any confidential information redacted, in their cover letter that illustrates this experience and skill.
Knowledge, Skills, & Abilities:
Excellent teamwork skills, including the ability to develop long-term partnerships for continual improvement in established technology platforms with mature product lifecycle management processes
Excellent data analysis skills, including using tools like Excel or Google Sheets, to customize and report on key metrics specifically useful for the company and relevant to the current threat environment and organizational needs of the company
Strong written and verbal communication skills, including the ability to develop clear, data-driven reports and presentations using Google Docs, Slides, or R
Strong presentation delivery skills, including the ability to speak confidently to underlying data and data-driven insights to internal technical and management teams, and, as needed, to clients’ technical or management teams
Ability to read, comprehend, and contextualize technical details contained in vulnerability assessments and penetration testing reports accurately
Ability to respectfully challenge norms and appropriately question assumptions and approaches to uncover and critically evaluate operational blind spots or procedural weaknesses
Expert knowledge of application security concepts as it relates to detecting anomalous and threatening HTTPS and WebSocket activity, including those covered by the OWASP Top 10 and the Common Weakness Enumeration
Strong knowledge of cloud security, particularly in AWS (e.g., IAM, Cognito, Inspector, KMS, Lambda, S3) and the AWS shared responsibility model
Strong knowledge of vulnerability prioritization methods, including through the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS)
Strong knowledge of financial regulations that influence application security designs, including PCI DSS
Calm and serious attitude, technical aptitude, appropriate sense of urgency, and communication skills to effectively coordinate with internal team members to remediate vulnerabilities and reduce security risks
Must have strong client orientation and demonstrate professional demeanor that earns the trust and respect of individuals inside and outside Lumin Digital
Ability to prioritize tasks, exercise sound judgment, and maintain confidentiality with sensitive information
Ability to work remotely while maintaining a high level of productivity and effectiveness, managing a highly performing team with limited or no supervision
Travel:
Minimal, generally 12 days or less per year
$175,000 - $194,998 a year
LIFE AT LUMIN DIGITAL
Lumin Digital is a trailblazer in digital banking solutions, driven by a unique approach to technology, service, and people. We empower credit unions and banks by creating cutting-edge digital experiences that continuously serve, engage, and grow their membership base. Lumin is 100% cloud-native, purpose-built to unlock the full advantages of the cloud for financial institutions and their users.
At Lumin, we thrive on curiosity and innovation. Our culture fosters trust - in our expertise and decisions, respect - for diverse perspectives and talents, and boldness - in pursuing innovative paths. These values guide us, shaping a workplace where collaboration thrives, ideas flourish, and new possibilities are discovered. Focused on continuous improvement and innovation, we encourage our team to explore, experiment, and put new ideas into action, challenging the usual way of doing things.
All qualified applicants, including those with arrest or conviction records, will be considered for employment. Any conditional offer will include a notice regarding the review of the candidate’s criminal history as part of the hiring process.