Engineer, Application Security

KeHE Distributors, LLC
Naperville, United States of America
22 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Intermediate
Compensation
$ 115K

Job location

Remote
Naperville, United States of America

Tech stack

Kubernetes Security
API
Artificial Intelligence
Amazon Web Services (AWS)
Architectural Patterns
Azure
Cloud Computing
Computer Security
Continuous Integration
Identity and Access Management
Information Systems Security Architecture Professional
Python
Key Management
Open Web Application Security
Powershell
Systems Development Life Cycle
Role-Based Access Control
Secure Coding
Software Engineering
Software Vulnerability Management
Scripting (Bash/Python/Go/Ruby)
Cloud Platform System
Spring Cloud
Large Language Models
Software Security
Cloudformation
Git Flow
Information Technology
CIS Benchmarks
Terraform
Devsecops
Serverless Computing
Static Application Security Testing
Microservices
Dynamic Application Security Testing

Job description

The Application Security Engineer (AppSec) reduces application and software risk by embedding security into the secure software development lifecycle (SSDLC). This role partners closely with engineering, infrastructure, and product teams to design secure architectures, perform threat modeling, implement security testing and CI/CD controls, and drive remediation of vulnerabilities. As the organization's AI adoption expands across business and engineering teams, the incumbent will help evaluate and shape security practices for emerging AI and agentic tools, including GenAI assessments and guardrail development as these programs mature. The role develops practical security standards, builds and operates a vulnerability operations function, improves developer enablement through reusable patterns and automation, and supports investigations related to application vulnerabilities, insecure configurations, or software supply chain risk. As with all positions at KeHE Distributors, all actions and responsibilities are expected to align with KeHE's Mission, Vision, and Values., + Secure SDLC Integration: Partner with software engineering teams to embed security activities (design, build, test, deploy, operate) into the SDLC, including performing threat modeling and security design reviews.

  • Standards & Patterns: Define, maintain, and promote "secure-by-default" coding standards, reusable security control patterns, and templates to scale consistent security practices.
  • AppSec Tooling & Automation: Implement, operate, and continuously tune application security testing tools (SAST, DAST, SCA, secrets, containers, IaC) within CI/CD pipelines to ensure high-signal, actionable feedback.
  • Risk-Based Vulnerability Management: Triage, validate, and prioritize application security findings based on business impact and exposure; track remediation SLAs, verify fixes, and document risk acceptances or compensating controls.
  • Modern Architecture & Platform Security: Provide security guidance on modern architectures (APIs, microservices, cloud, serverless), focusing on identity/access management (RBAC, least privilege, token handling), rate limiting, and secure configurations.
  • Supply Chain & Secrets Reduction: Mitigate software supply chain risks through strict dependency governance and secure artifact management, while driving improvements in secrets management to eliminate hard-coded credentials.
  • Incident Response Support: Assist Security Operations and engineering teams with investigating AppSec incidents (e.g., exposed secrets, exploits), and lead post-incident reviews to implement preventative guardrails.
  • Governance, Risk, & Compliance: Provide control evidence to support compliance audits and evaluate the security posture of third-party/vendor-integrated applications.
  • Developer Enablement & Culture: Foster a strong security culture by delivering security training, hosting office hours, publishing developer-friendly documentation, and demonstrating company core values.
  • AI & Agentic Tool Security: Oversee security for GenAI, RAG, and agentic tools by conducting OWASP LLM/Agentic Top 10 assessments, enforcing per-tool security checklists (blast-radius and data boundaries), and owning the security sign-off for POC-to-production decisions
  • Other duties and projects as assigned.

Requirements

Do you have a Bachelor's degree?, + Strong understanding of application security fundamentals and common vulnerability classes (e.g., OWASP Top 10) and secure coding practices.

  • Experience conducting threat modeling and security design reviews; ability to identify abuse cases, trust boundaries, and mitigations.

  • Hands-on experience with application security testing methodologies and tools (SAST/DAST/SCA, secrets scanning); ability to interpret results and drive remediation.

  • Experience integrating security checks into CI/CD pipelines and developer workflows; familiarity with Git-based workflows and modern build/release practices.

  • Ability to prioritize findings using risk context (asset criticality, exposure, exploitability, data sensitivity).

  • Strong written and verbal communication skills; ability to translate security requirements into practical engineering actions.

  • Experience securing cloud-native applications (AWS preferred; Azure exposure a plus) and modern architectures (APIs, containers, microservices, serverless).

  • Familiarity with container and IaC security concepts (image scanning, Kubernetes security concepts, Terraform/CloudFormation scanning).

  • Scripting/automation skills (Python, PowerShell, or similar) to improve scale and reduce manual work.

  • Familiarity with secrets management tooling and practices (vaults, key management, rotation workflows).

  • Familiarity with secure SDLC governance and control mapping to common frameworks (NIST CSF, CIS Controls, NIST 800-53). EDUCATION AND EXPERIENCE:

  • Bachelor's degree in Computer Science, Software Engineering, Information Security, or related field; or equivalent practical experience.

  • 3-8+ years of experience in application security, secure software engineering, DevSecOps, or software development with significant security responsibilities. PHYSICAL REQUIREMENTS:

  • This position operates in a hybrid working environment, with in-person presence preferred Tuesday, Wednesday, and Thursday (remote work available Monday and Friday, as business needs allow).

  • Ability to work in a standard office environment which requires sitting and viewing monitor(s) for extended periods of time, operating

Benefits & conditions

Pulled from the full job description

  • 401(k)
  • Health insurance
  • Paid time off
  • Vision insurance
  • Health savings account
  • Dental insurance
  • Paid sick time

 

Full job description

Why Work for KeHE?:

  • Full-time
  • Pay Range: $78,210.00/Yr. - $114,648.00/Yr.
  • Shift Days: , Shift Time:
  • Benefits on Day 1
  • Health/Rx
  • Dental
  • Vision
  • Flexible and health spending accounts (FSA/HSA)
  • Supplemental life insurance
  • 401(k)
  • Paid time off
  • Paid sick time
  • Short term & long term disability coverage (STD/LTD)
  • Employee stock ownership (ESOP)
  • Holiday pay for company designated holidays Overview: At KeHE, we're obsessed with creating solutions, unboxing potential, and serving others - and it all starts with you. As an employee-owned distributor of natural and organic, specialty, and fresh products, we're committed to making a positive impact and scaling our success together. With a culture that fosters development and opportunity, you'll be embarking on a career that's moving forward. When you join KeHE, you're becoming part of a team that is a force for good

Apply for this position