Cox Automotive
The Lead Application Security Engineer will partner with Security Engineering Enablement and Security Architecture to design and ship secure software: secure code reviews and help define requirements on prerelease control validation (SAST/DAST/SCA, API security, Container/IaC scans). Drive fix-first coaching-turn findings into clear remediation guidance and code examples, to help teams remediate security findings.
The team is the Center of Excellence (COE) for Application Security, Web Application Firewalls and Cloud Security. In this capacity, the Lead AppSec Engineer can provide advice and guidance to teams in these areas to support the established standards and policies, in the form of Office Hours, Brown Bags or team consultation sessions.
Operate, administer, and continuously improve our off the shelf AppSec and CloudSec tools (WAF infrastructure management, user onboarding, policy/config, integrations). Partner with Cloud Platform teams to harden AWS/Azure/GCP environments using CSPM/CNAPP controls, guardrails, and baselines; Support system administration, configuration, and maintenance for the AppSec/CloudSec/WAF toolset (identity/roles, agent health, connectors, backups, upgrades, and DR testing). Use scripting/automation (Python, PowerShell, Bash, REST APIs, Terraform modules, GitHub Actions/Azure DevOps/GitLab CI) for ad hoc fixes and to reduce toil (bulk policy changes, project provisioning, baseline exceptions, report consolidation). Stakeholder for helping design Secure Pipelines to be implemented by the Security Engineering Enablement team
Bachelor's degree in a related discipline and 6 years' experience in a related field. or 18 years' experience in a related field 2 years in Application / Product security or software engineering with a strong security focus. Hands on depth with modern SDLC/DevSecOps in cloud-native environments: microservices, APIs, containers/Kubernetes, serverless, IaC (Terraform/CloudFormation/ARM/Bicep), and CI/CD integration. Practical expertise operating and tuning SAST, DAST, SCA, API testing, IaC/container scanners, plus CNAPP for multi cloud. Scripting/automation proficiency (Python preferred; able to create quick utilities and pipeline jobs to reduce manual effort. Strong knowledge of OWASP Top 10, ASVS, SAMM, NIST SSDF, CSA CCM, secure design patterns, cryptography fundamentals, authN/Z (OAuth2/OIDC/JWT), and common web/API vulns and mitigations. Excellent communicator who can simplify complex risk for engineers and leaders; Familiarity with software supply chain security (SBOMs, signing, provenance, dependency risk) and runtime protection (RASP, WAF/WL, EDR for containers). Strong understanding of cloud architecture and infrastructure Collaborate with AI agents to build, test, and deploy software across the SDLC, by using proper contextual inputs to improve AI understanding and output quality. Implement AI-powered features and pipelines in our software Contribute to prompt engineering experimentation and share tool usage insights. Define coding standards, review practices, and ethical guidelines for AI use. Mentor peers and coach junior team members on AI-augmented development. No OPT, CPT, STEM/OPT or visa sponsorship now or in future.
WAF engineering experience (policy design, tuning, false positive management, bot/rate limit controls, logging/observability, blue/green rollout). CISSP, CSSLP, GWAPT, GCSA, GCP/AWS/Azure security) are a plus. seven paid holidays throughout the calendar year;