Application Security Team Lead

Remote

Full time

Lead

Serbia; European Union; Georgia

ComplianceDevOpsJavaScriptDockerKubernetesPythonJavaFinancial ServicesApplication SecurityTeam Lead.NETDASTGDPRGraphQLPCI DSS

Job description

Responsibilities

Lead and mentor the Application Security team, setting priorities, conducting code reviews, and fostering a security-first engineering culture across the organization.
Own the Secure Software Development Lifecycle (SSDLC), embedding security gates—threat modeling, static/dynamic analysis, dependency scanning—into the CI/CD pipeline for the company's product.
Drive vulnerability management end-to-end, from triage and risk-scoring of findings (SAST, DAST, pen tests, bug bounties) through to coordinating remediation timelines with development teams.
Define and maintain application security standards, policies, and guidelines aligned with financial-industry regulations (e.g., PCI DSS, SOC 2, GDPR) and ensure the product stays compliant.
Partner with Product, Engineering, and DevOps leadership to assess security risk of new features and architectural changes, providing pragmatic guidance that balances speed-to-market with risk tolerance.
Plan and oversee regular penetration testing and red-team exercises on the company's product, translating results into actionable roadmap items and reporting risk posture to senior management.

Requirements

10+ years of hands-on application security experience, with at least 4 years in a lead or senior role managing a team of security engineers.
Deep expertise in secure coding practices and common vulnerability classes (OWASP Top 10, CWE/SANS Top 25) across modern tech stacks (e.g., Java, Python, .NET, JavaScript/TypeScript).
E/SANS Top 25) across modern tech stacks (e.g., Java, Python, .NET, JavaScript/TypeScript).Strong experience with SAST, DAST, SCA, and IAST tools (e.g., Checkmarx, SonarQube, Burp Suite, Snyk, Semgrep) and integrating them into CI/CD pipelines.
Solid understanding of cloud security (AWS, Azure, or GCP), container security (Docker, Kubernetes), and infrastructure-as-code scanning.
Experience with threat modeling methodologies (STRIDE, PASTA, Attack Trees) and ability to lead threat modeling sessions with engineering teams.
Working knowledge of financial-industry compliance frameworks — PCI DSS, SOC 2, GDPR, or similar regulatory requirements relevant to fintech/financial services.
Proven ability to communicate security risks to both technical and non-technical stakeholders, including C-level executives, translating findings into business impact.

Nice-to-Have:

Relevant certifications — CSSLP, OSCP, OSWE, GWAPT, CEH, or CISSP.
Experience running or managing bug bounty programs.
Background in penetration testing or red teaming, especially against financial applications.
Experience with API security (OAuth 2.0, OpenID Connect, REST/GraphQL hardening).
Familiarity with DevSecOps culture and building security champions programs within engineering organizations.
Contribution to open-source security tools or active participation in the AppSec community (OWASP chapters, conference talks, published research).

Good match

We match every vacancy against your profile and show a fit score — so you instantly know which ones are worth applying to. Sign up and create a resume — it's free.

Not enough data to estimate a salary range for this role in this region yet.