Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)

United States of America

Full Time

3 weeks ago

$150,000 - $180,000 USD

H1B Sponsor Likely

Key skills

JavaSpring BootAPIsMicroservicesOWASP Top 10SQL InjectionNoSQL InjectionCross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)AuthenticationSession ManagementBusiness Logic SecurityCredential StuffingBot ProtectionSecure Checkout FlowsPayment IntegrationsSubscription ManagementSecure Code ReviewThreat ModelingREST APIsGraphQL APIsOAuth2JWTToken ManagementSASTDASTSCASecrets ScanningCI/CD SecurityInfrastructure as CodeTerraformAWSAmazon EKSAmazon ECSAmazon EC2AWS LambdaAPI GatewayAmazon S3Amazon RDSIAMNetwork SegmentationVPCSecurity GroupsAWS Secrets ManagerAWS Parameter StoreData EncryptionWeb Application Firewall (WAF)CrowdStrikePenetration TestingPurple Team ExercisesSecurity Risk ManagementCTRMSecurity Best Practices AdoptionRisk PrioritizationSQLNoSQLSpringGraphQLECSEKSEC2LambdaS3RDSCI/CDOWASPCloud SecurityWAF

About this role

Thorne is a leader in science-backed health and wellness solutions, committed to helping individuals live healthier longer. They are seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale their digital platforms, focusing on application security, DevSecOps, and AWS cloud infrastructure.

Responsibilities:

Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)
Address OWASP Top 10 and ecommerce-specific risks, including:
Injection (SQL/NoSQL), XSS, CSRF
Broken authentication / session management
Business logic flaws (checkout, pricing, promotions, abuse scenarios)
Account takeover, credential stuffing, bot attacks
Secure checkout flows, payment integrations, subscriptions, and customer data handling
Conduct secure code reviews and support threat modeling for new features
Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
Prevent API abuse, scraping, and data exfiltration
Implement and enforce secure patterns (OAuth2, JWT, token management)
Implement and manage security tooling in CI/CD pipelines:
SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
Secure build and deployment pipelines
Enforce secure coding standards and automate policy checks
Own infrastructure-as-code security (Terraform) for app environments
Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
Implement and validate:
IAM roles and least privilege access
Network segmentation (VPCs, security groups, private/public boundaries)
Secrets management (AWS Secrets Manager, Parameter Store)
Data protection (encryption at rest/in transit)
Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
Partner with Infra on CrowdStrike coverage for application workloads
Support detection and response improvements for:
Web/app-layer attacks
API abuse
Triage and remediate findings from:
Pen tests
Purple team exercises
Assumed breach scenarios
Translate security findings into prioritized engineering work
Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
Drive adoption of security best practices across engineering teams
Act as a bridge between Ecom, Infrastructure, and external security partners

Requirements:

Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)
Address OWASP Top 10 and ecommerce-specific risks, including: Injection (SQL/NoSQL), XSS, CSRF, Broken authentication / session management, Business logic flaws (checkout, pricing, promotions, abuse scenarios), Account takeover, credential stuffing, bot attacks, Secure checkout flows, payment integrations, subscriptions, and customer data handling
Conduct secure code reviews and support threat modeling for new features
Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
Prevent API abuse, scraping, and data exfiltration
Implement and enforce secure patterns (OAuth2, JWT, token management)
Implement and manage security tooling in CI/CD pipelines: SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
Secure build and deployment pipelines
Enforce secure coding standards and automate policy checks
Own infrastructure-as-code security (Terraform) for app environments
Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
Implement and validate: IAM roles and least privilege access, Network segmentation (VPCs, security groups, private/public boundaries), Secrets management (AWS Secrets Manager, Parameter Store), Data protection (encryption at rest/in transit)
Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
Partner with Infra on CrowdStrike coverage for application workloads
Support detection and response improvements for: Web/app-layer attacks, API abuse
Triage and remediate findings from: Pen tests, Purple team exercises, Assumed breach scenarios
Translate security findings into prioritized engineering work
Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
Drive adoption of security best practices across engineering teams
Act as a bridge between Ecom, Infrastructure, and external security partners