Application Security Engineer III

We’re seeking a Senior Application Security Consultant with deep expertise in software security, secure development practices, governance, and framework-driven transformation planning. In this role, you will lead client engagements to assess Application Security Programs (AppSec) against industry frameworks and deliver strategic roadmaps that help organizations build, scale, and measure their secure software development capabilities. This position blends strategic consulting, technical governance, and development lifecycle expertise to translate assessment findings into actionable, measurable programs aligned with frameworks such as BSIMM and NIST SSDF.

Key Responsibilities

• Lead AppSec Program maturity assessments using frameworks like BSIMM, NIST SSDF, and OWASP SAMM, including stakeholder interviews, evidence collection, and scoring.
• Design and deliver Strategic Roadmaps outlining target states, 12–36-month plans, resource needs, and success metrics.
• Facilitate workshops with executive, engineering, and AppSec leadership to align initiatives with organizational risk and compliance goals.
• Deliver compelling, executive-level presentations and recommendations to CISOs, CTOs, and software leadership teams.
• Contribute to internal tools and accelerators (e.g., maturity scoring tools, roadmap templates, reporting dashboards).
• Support thought leadership through whitepapers, webinars, and conference presentations on secure software development and governance.

Qualifications

Must to have:

• 5 – 8 years of experience in application security, software assurance, or product security consulting.
• Strong knowledge of frameworks such as BSIMM, NIST SSDF, or OWASP SAMM.
• Experience with Open-Source Software (OSS) security, including identification, tracking, and remediation of vulnerabilities in third-party components.
• Familiarity with Software Bill of Materials (SBOM) standards and tools (e.g., SPDX, CycloneDX), and their role in software supply chain transparency and compliance
• Proven experience in developing or executing maturity models, capability assessments, or multi-year roadmaps for AppSec or DevSecOps programs.
• Hands-on experience with secure software development practices, including familiarity with SDLC, CI/CD pipelines, and code-level security controls.
• Excellent verbal and written communication skills, with the ability to translate technical findings into clear, executive-level narratives and actionable plans.
• Strong presentation and facilitation skills in client-facing environments.

Nice to have:

• Prior consulting experience with a Big Four, boutique AppSec consultancy, or internal software security governance team.
• Experience in software supply chain risk management (SSCRM), AI/ML assurance, or DevSecOps pipeline design.
• Background in software development (e.g., Java, Python, C#) and experience working within secure SDLCs.
• Industry certifications such as CEH, CISSP, CISM, or equivalent.

What You’ll Deliver

• Comprehensive AppSec Program Roadmaps, maturity assessments, and framework-aligned reports.
• Visuals and documentation for capability maturity models and strategic planning.
• Executive summaries and strategic recommendations tailored to leadership audiences.