About the role

Lead Application Security Engineer at Cox Automotive focusing on secure software design and application security practices. Partnering with various teams to ensure robust security standards.

Responsibilities

partner with Security Engineering Enablement and Security Architecture to design and ship secure software
secure code reviews and help define requirements on prerelease control validation (SAST/DAST/SCA, API security, Container/IaC scans)
Drive fix-first coaching—turn findings into clear remediation guidance and code examples
operate, administer, and continuously improve our off the shelf AppSec and CloudSec tools
Triage and disposition vulnerabilities across SAST/DAST/SCA/API/IaC/CSPM sources
partner with Cloud Platform teams to harden AWS/Azure/GCP environments using CSPM/CNAPP controls
support system administration, configuration, and maintenance for the AppSec/CloudSec/WAF toolset
evaluate security tools on an ongoing basis
serve as first-line triage for Responsible Disclosure submissions
ensure consistent communications with Responsible Disclosure reporters and internal stakeholders
use scripting/automation (Python, PowerShell, Bash, REST APIs, Terraform modules, GitHub Actions/Azure DevOps/GitLab CI)
stakeholder for helping design Secure Pipelines

Bachelor’s degree in a related discipline and 6 years’ experience in a related field
2 years in Application / Product security or software engineering with a strong security focus
Hands on depth with modern SDLC/DevSecOps in cloud-native environments: microservices, APIs, containers/Kubernetes, serverless, IaC (Terraform/CloudFormation/ARM/Bicep), and CI/CD integration
Practical expertise operating and tuning SAST, DAST, SCA, API testing, IaC/container scanners, plus CNAPP for multi cloud
Scripting/automation proficiency (Python preferred; PowerShell/Bash nice) and REST API integration skills
Strong knowledge of OWASP Top 10, ASVS, SAMM, NIST SSDF, CSA CCM, secure design patterns, cryptography fundamentals, authN/Z (OAuth2/OIDC/JWT)
Experience triaging responsible disclosure or bug bounty reports and driving coordinated remediation with product teams
Familiarity with software supply chain security (SBOMs, signing, provenance, dependency risk) and runtime protection (RASP, WAF/WL, EDR for containers)
Strong understanding of cloud architecture and infrastructure

The Company offers eligible employees the flexibility to take as much vacation with pay as they deem consistent with their duties, the company’s needs, and its obligations
seven paid holidays throughout the calendar year
up to 160 hours of paid wellness annually for their own wellness or that of family members
additional paid time off in the form of bereavement leave, time off to vote, jury duty leave, volunteer time off, military leave, and parental leave
health care insurance (medical, dental, vision)
retirement planning (401(k))
paid days off (sick leave, parental leave, flexible vacation/wellness days, and/or PTO)