ACLU - National Office
The ACLU seeks applicants for the full-time position of
Application Security Architect
in the
Information Security Department
of the ACLU’s National office in
New York, NY . This is a
hybrid role
that has in-office requirements of two (2) days per week or eight (8) days per month. This role will define how secure applications are designed, integrated, and maintained across the ACLU’s cloud, SaaS, and hybrid environments. You’ll lead efforts to embed security throughout our software development lifecycle (SDLC), own our internal Security Architecture Review (SAR) process, and guide secure integration practices for highly customized platforms and other third-party applications critical to our civil liberties mission. The AppSec Architect will partner closely with product and platform teams, Tech Engineering, Devops, IT, and affiliates to assess and mitigate risks associated with application design, data flows, integrations, and third-party software usage. You’ll help set and enforce security standards, perform hands-on threat modeling, define secure development and deployment patterns, and directly support high-impact systems involving donor data, legal case workflows, and internal operational apps. This hands-on technical leadership role will own and drive the ACLU’s application security efforts across both internally developed and externally adopted applications. This position is part of a collective bargaining unit and is represented by ACLU Staff United (ASU). WHAT YOU'LL DO
Reporting to the
Director, Security Architecture & Engineering , the
Application Security Architect
will define and drive the ACLU’s application security roadmap—from code to cloud, and everything in between. YOUR DAY TO DAY
Lead the ACLU’s Application Security Program, owning the InfoSec SDLC strategy and continuous improvement of application-layer security across cross-functional teams. Own the Security Architecture Review (SAR) process, including intake, risk evaluation, documentation, and partner engagement. Perform and guide threat modeling for new applications, integrations, and high-risk workflows—including financial systems, legal platforms, and supporter/donor tools. Define secure design patterns for authentication (OAuth/OIDC), secrets management, API authorization, session handling, and data flow protections across internal and third-party systems. Evaluate, deploy, and maintain AppSec tooling such as SAST, DAST, SCA, API security tools, and secrets detection platforms, based on risk and developer stack alignment. Partner with stakeholders to assess internal cloud apps, low-code tools, and internal workflow automations for security risks. Oversee application-layer vulnerability triage, analysis, and escalation—including issues from internal testing, coordinated disclosure, and external penetration testing. Collaborate with platform owners of high-risk SaaS platforms to validate that application-level security controls—authZ, audit logging, IP allowlists, token lifetimes, etc.—are in place and enforced. Ensure application-layer security extends across data ecosystems, including ETL and reverse ETL pipelines, data warehouse platforms (e.g., Redshift, Snowflake), and high-risk integrations that move or transform sensitive donor, legal, or supporter data between internal systems and external SaaS tools. Identify and reduce emerging application-layer risks related to AI adoption, including prompt injection, model abuse, insecure integrations with LLM APIs, and exposure of sensitive data through AI-powered features or automations. FUTURE ACLU'ERS WILL
Be committed to advancing the mission of the ACLU Center and embed the principles of equity, inclusion and belonging in their work by demonstrating commitment to diversity with an approach that respects and values multiple perspectives Be committed to work collaboratively and respectfully toward resolving obstacles and conflicts WHAT YOU'LL BRING
Extensive experience in application or product security, secure software development, or DevSecOps architecture. Practical experience designing and implementing secure SDLC, AppSec testing workflows, or automated CI/CD security gates. Deep understanding of common software vulnerabilities (e.g., OWASP Top 10), secure coding practices, and threat modeling methodologies. Familiarity with GitHub Actions, modern SaaS stacks, and secure API design principles. Familiarity with CMS tooling (e.g., Drupal, WordPress), cloud computing platforms (e.g., GCP, Azure, AWS), and containerization environments (e.g., Kubernetes, Docker, ECS). Experience securing data pipelines and warehouse environments, with a focus on protecting structured data. Experience partnering directly with developers and product teams to influence secure outcomes. Excellent communication skills, especially when translating technical issues into business risk language. COMPENSATION
The ACLU is committed to equity, transparency, and clarity in pay. There is a set salary for each role based on geographic work location. The annual salary for this position is
$161,123 (Level - E) , reflecting the salary of a position based in New York, NY. Salaries are subject to a regional pay adjustment if authorization is granted to work outside of the location listed in this posting. For over 100 years, the ACLU has worked to defend and preserve the individual rights and liberties guaranteed by the Constitution and laws of the United States. We value our people and offer a range of benefits focused on well-being and professional development. Benefits include: Generous paid time off Comprehensive healthcare benefits (medical, dental, vision, parental leave, gender-affirming care & fertility treatment) 401k plan with employer match Annual professional development funds and programs OUR COMMITMENT TO ACCESSIBILITY, EQUITY, DIVERSITY & INCLUSION
Accessibility, equity, diversity and inclusion are core values of the ACLU. We strive to create a culture of belonging for all and actively promote anti-oppression, anti-ableism, and anti-racism in our work. We strongly encourage applications from all qualified individuals regardless of race, color, religion, gender, sexual orientation, gender identity or expression, age, national origin, marital status, citizenship, disability, veteran status, or any other characteristic protected by applicable law.
#J-18808-Ljbffr
Application Security Architect
in the
Information Security Department
of the ACLU’s National office in
New York, NY . This is a
hybrid role
that has in-office requirements of two (2) days per week or eight (8) days per month. This role will define how secure applications are designed, integrated, and maintained across the ACLU’s cloud, SaaS, and hybrid environments. You’ll lead efforts to embed security throughout our software development lifecycle (SDLC), own our internal Security Architecture Review (SAR) process, and guide secure integration practices for highly customized platforms and other third-party applications critical to our civil liberties mission. The AppSec Architect will partner closely with product and platform teams, Tech Engineering, Devops, IT, and affiliates to assess and mitigate risks associated with application design, data flows, integrations, and third-party software usage. You’ll help set and enforce security standards, perform hands-on threat modeling, define secure development and deployment patterns, and directly support high-impact systems involving donor data, legal case workflows, and internal operational apps. This hands-on technical leadership role will own and drive the ACLU’s application security efforts across both internally developed and externally adopted applications. This position is part of a collective bargaining unit and is represented by ACLU Staff United (ASU). WHAT YOU'LL DO
Reporting to the
Director, Security Architecture & Engineering , the
Application Security Architect
will define and drive the ACLU’s application security roadmap—from code to cloud, and everything in between. YOUR DAY TO DAY
Lead the ACLU’s Application Security Program, owning the InfoSec SDLC strategy and continuous improvement of application-layer security across cross-functional teams. Own the Security Architecture Review (SAR) process, including intake, risk evaluation, documentation, and partner engagement. Perform and guide threat modeling for new applications, integrations, and high-risk workflows—including financial systems, legal platforms, and supporter/donor tools. Define secure design patterns for authentication (OAuth/OIDC), secrets management, API authorization, session handling, and data flow protections across internal and third-party systems. Evaluate, deploy, and maintain AppSec tooling such as SAST, DAST, SCA, API security tools, and secrets detection platforms, based on risk and developer stack alignment. Partner with stakeholders to assess internal cloud apps, low-code tools, and internal workflow automations for security risks. Oversee application-layer vulnerability triage, analysis, and escalation—including issues from internal testing, coordinated disclosure, and external penetration testing. Collaborate with platform owners of high-risk SaaS platforms to validate that application-level security controls—authZ, audit logging, IP allowlists, token lifetimes, etc.—are in place and enforced. Ensure application-layer security extends across data ecosystems, including ETL and reverse ETL pipelines, data warehouse platforms (e.g., Redshift, Snowflake), and high-risk integrations that move or transform sensitive donor, legal, or supporter data between internal systems and external SaaS tools. Identify and reduce emerging application-layer risks related to AI adoption, including prompt injection, model abuse, insecure integrations with LLM APIs, and exposure of sensitive data through AI-powered features or automations. FUTURE ACLU'ERS WILL
Be committed to advancing the mission of the ACLU Center and embed the principles of equity, inclusion and belonging in their work by demonstrating commitment to diversity with an approach that respects and values multiple perspectives Be committed to work collaboratively and respectfully toward resolving obstacles and conflicts WHAT YOU'LL BRING
Extensive experience in application or product security, secure software development, or DevSecOps architecture. Practical experience designing and implementing secure SDLC, AppSec testing workflows, or automated CI/CD security gates. Deep understanding of common software vulnerabilities (e.g., OWASP Top 10), secure coding practices, and threat modeling methodologies. Familiarity with GitHub Actions, modern SaaS stacks, and secure API design principles. Familiarity with CMS tooling (e.g., Drupal, WordPress), cloud computing platforms (e.g., GCP, Azure, AWS), and containerization environments (e.g., Kubernetes, Docker, ECS). Experience securing data pipelines and warehouse environments, with a focus on protecting structured data. Experience partnering directly with developers and product teams to influence secure outcomes. Excellent communication skills, especially when translating technical issues into business risk language. COMPENSATION
The ACLU is committed to equity, transparency, and clarity in pay. There is a set salary for each role based on geographic work location. The annual salary for this position is
$161,123 (Level - E) , reflecting the salary of a position based in New York, NY. Salaries are subject to a regional pay adjustment if authorization is granted to work outside of the location listed in this posting. For over 100 years, the ACLU has worked to defend and preserve the individual rights and liberties guaranteed by the Constitution and laws of the United States. We value our people and offer a range of benefits focused on well-being and professional development. Benefits include: Generous paid time off Comprehensive healthcare benefits (medical, dental, vision, parental leave, gender-affirming care & fertility treatment) 401k plan with employer match Annual professional development funds and programs OUR COMMITMENT TO ACCESSIBILITY, EQUITY, DIVERSITY & INCLUSION
Accessibility, equity, diversity and inclusion are core values of the ACLU. We strive to create a culture of belonging for all and actively promote anti-oppression, anti-ableism, and anti-racism in our work. We strongly encourage applications from all qualified individuals regardless of race, color, religion, gender, sexual orientation, gender identity or expression, age, national origin, marital status, citizenship, disability, veteran status, or any other characteristic protected by applicable law.
#J-18808-Ljbffr