Cox Automotive
Senior Application Security Engineer
Cox Automotive, Union City, Georgia, United States, 30291
The Senior Application Security Engineer will collaborate with Security Engineering Enablement and Security Architecture to design and deliver secure software. This role involves performing secure code reviews and establishing requirements for prerelease control validation, including SAST, DAST, SCA, API security, and Container/IaC scans. You will advocate for proactive solutions, turning findings into clear remediation guidance and code examples to assist teams in addressing security vulnerabilities.
As part of the Center of Excellence (COE) for Application Security, Web Application Firewalls, and Cloud Security, you will provide advice and guidance to teams based on established standards and policies through initiatives like Office Hours, Brown Bags, or team consultation sessions.
Key Responsibilities:
Administer and continually improve our off-the-shelf AppSec and CloudSec tools (managing WAF infrastructure, user onboarding, policy/config, integrations).
Triage and manage vulnerabilities across various sources (SAST/DAST/SCA/API/IaC/CSPM); lead reviews for false positives and maintain robust audit trails.
Work with Cloud Platform teams to enhance AWS/Azure/GCP environments using CSPM/CNAPP controls, guide secure practices for serverless architectures, Kubernetes, and secrets management.
Oversee system administration, configuration, and maintenance of the AppSec/CloudSec/WAF toolset.
Regularly evaluate security tools to ensure we utilize the most effective solutions for the enterprise.
Act as the primary triage contact for Responsible Disclosure submissions, assess issues, determine severity and impact, assign ownership and SLAs, and track issues to resolution.
Maintain clear communication with Responsible Disclosure reporters and internal stakeholders, ensuring accurate compliance records.
Utilize scripting and automation (preferably Python; PowerShell/Bash is a bonus) for ad hoc fixes and to minimize repetitive tasks.
Contribute to the design of Secure Pipelines with the Security Engineering Enablement team.
Minimum Qualifications:
Bachelor's degree in a relevant discipline and 6 years of experience in a related field; alternatives include a master's degree with 4 years of experience, a Ph.D. with 1 year of experience, or 18 years of experience in a related field.
At least 2 years focused on Application/Product security or Software Engineering with a strong security emphasis.
Hands-on experience with modern SDLC and DevSecOps in cloud-native environments (microservices, APIs, containers/Kubernetes, serverless, IaC, and CI/CD integration).
Practical expertise in operating and tuning various security testing tools.
Proficiency in scripting and automation (Python preferred) and REST API integration.
Strong understanding of secure design patterns, OWASP Top 10, ASVS, SAMM, NIST SSDF, CSA CCM, cryptography fundamentals, and common web/API vulnerabilities.
Experience managing responsible disclosure or bug bounty reports, coordinating remediation efforts with product teams.
Excellent communication abilities to explain complex risks to engineering and leadership teams.
Familiarity with software supply chain security and runtime protection mechanisms.
Strong understanding of cloud architecture and infrastructure.
Collaborate with AI tools to enhance software development across the SDLC.
Implement AI-driven features and pipelines in our software projects.
Engage in prompt engineering experimentation and contribute insights on tool usage.
Set coding standards, review practices, and ethical guidelines for AI usage.
Mentor and coach peers, as well as junior team members, on AI-augmented development.
Applicants must be authorized to work in the United States without any current or future sponsorship.
Preferred Skills:
Experience in WAF engineering including policy design and tuning, logging/observability, and rollout strategies.
Relevant certifications such as CISSP, CSSLP, GWAPT, or GCP/AWS/Azure security are an advantage.
Experience with API security and Responsible Disclosure workflows is beneficial.
Compensation:
The salary range for this position is between $119,600.00 and $199,400.00, which may vary based on the candidate's skills and experience. Benefits:
The Company offers flexible vacation policies, seven paid holidays each year, and up to 160 hours of paid wellness leave annually. Additional paid time off includes bereavement leave, time off to vote, jury duty leave, volunteer time off, military leave, and parental leave.
The salary range for this position is between $119,600.00 and $199,400.00, which may vary based on the candidate's skills and experience. Benefits:
The Company offers flexible vacation policies, seven paid holidays each year, and up to 160 hours of paid wellness leave annually. Additional paid time off includes bereavement leave, time off to vote, jury duty leave, volunteer time off, military leave, and parental leave.