Lead Application Security Engineer

Job Description The Lead Application Security Engineer will be a core member of the Threat and Vulnerability Management (TVM) team. The role will be responsible for supporting the organization's Application and API Security Program. This individual will lead efforts to identify, assess, and mitigate vulnerabilities across applications and APIs, delivering strategic guidance while collaborating closely with IT, Asset and Application Owners, and Senior Information Security Leadership to drive security initiatives. As an accomplished cybersecurity professional, the Lead Application Security Engineer will apply advanced expertise in application and API security, offensive security, risk assessment, and threat intelligence to proactively detect emerging cybersecurity threats and implement robust remediation measures. This role demands a deep understanding of key cybersecurity frameworks and standards, with a commitment to continuously enhance the security of the organization's applications, APIs, infrastructure, and data. LI-DNI Responsibilities Corporate-wide Application Security and TVM security initiatives. Assessing IT and cybersecurity risks related to applications and identifying emerging application security threats. Managing, maintaining, and administering tools utilized for application security, including static and dynamic analysis tools. Maintains expert knowledge of security frameworks and standards - Ensures application security practices align with industry standards, such as OWASP, NIST, and CIS controls, and incorporates these into security policies and procedures. Conducts comprehensive application security assessments - Performs in-depth security testing and code reviews on new and existing applications to identify vulnerabilities and provides recommendations for remediation. Collaborates with IT and development teams - Works closely with development and DevOps teams to implement secure coding practices, communicates application-related risks, and supports efforts to secure the application lifecycle. Advises business units on application security controls - Partners with various business units to ensure application security controls are robust, appropriate, and effective, aligning security initiatives with business objectives. Participates in security planning and strategy sessions - Actively contributes to security-related meetings, project teams, and workgroups, offering expertise and strategic input on application security initiatives. Supports compliance and audit efforts - Assists with internal and external security audits, ensuring applications comply with regulatory requirements and industry standards. Promotes a strong security culture - Advocates for application security awareness and best practices throughout the organization, fostering a proactive approach to secure development. Develops and delivers application security reports - Prepares and presents reports on application security findings, offering insights and recommendations to stakeholders. Monitors and adapts to evolving security trends and regulations - Keeps abreast of new regulatory requirements, application security trends, and technology developments to inform and adjust security practices accordingly. Occasional travel for special assignments and professional development - Participates in specialized training, conferences, or office visits as needed to support application security objectives and team development. Qualifications 5 years of experience in information technology or information security, with a focus in one or more of the following areas: Application Security Offensive Security Secure Software Development Excellent written and oral communication skills, including the ability to: Deliver messages in a clear, compelling, and concise manner. Articulate complex security concepts in a way that is understandable by both technical and non-technical audiences. Tailor communication content and style to meet the needs of diverse stakeholders. Actively listen and ensure understanding across all parties. Strong analytical, critical thinking, and problem-solving skills - Able to approach challenges creatively and develop effective solutions for application security. Proven ability to collaborate with both technical and non-technical teams - Skilled in working tactfully with business stakeholders, developers, and IT resources to achieve security goals. Keen attention to detail - Demonstrates accuracy and thoroughness in all work, with a commitment to verifying results and following through on tasks. Experience with application security tools (e.g., Snyk, Burp Suite, Checkmarx, Veracode, OWASP ZAP) and familiarity with static and dynamic application security testing (SAST/DAST) methodologies. Bachelor's degree in computer science, information technology, cybersecurity, or a related field, or equivalent work experience. Desired but not required certifications: Security-focused certifications such as CISSP, CEH, GWAPT, OSCP, or similar industry-recognized credentials. Familiarity with industry-standard frameworks and best practices - Understanding of OWASP Top Ten, NIST, or other security frameworks relevant to application security. Applicants must be currently authorized to work in the United States on a full-time basis. Location Hybrid defined as three (3) or more days per week in the office Behavioral Competencies Collaborates Communicates Effectively Customer Focus Decision Quality Nimble Learning About Us Founded in 1848, Westfield is a global leader in property and casualty insurance, delivering superior risk insights and innovative solutions to customers through a diverse portfolio of insurance products. Westfield underwrites commercial, personal, surety, and specialty lines of coverage through a network of leading independent agents and brokers in the United States and specialty products through Lloyd's of London Syndicate 1200. As a mutual insurance company with more than 3,000 employees, Westfield has revenues in excess of $4 billion and more than $10 billion in assets.