Stellantis is seeking an Application Security Analyst onsite in Auburn Hills, Michigan. This role offers the chance to shape security across the software development lifecycle, support a Shift Left cybersecurity strategy, and advance DevSecOps practices that integrate security into everyday development. You will collaborate with development teams and help drive secure coding and risk reduction across the organization.
You will collaborate with development, platform, and supplier teams, provide remediation guidance, and help train teams on secure coding and application security practices.
Responsibilities
- Perform security testing: SAST, DAST, IAST, mobile security, and dynamic testing
- Analyze vulnerabilities and recommend secure coding fixes
- Demonstrate vulnerabilities to development teams
- Drive remediation efforts to closure
- Work within CI/CD pipelines using tools such as Jenkins, GitLab, GitHub Actions, TeamCity; Checkmarx, GitHub Advanced Security, Burp Suite
- Integrate security controls into development workflows
- Lead Web Application Firewall (WAF) deployment for new and existing apps
- Implement application security policies, controls, and standards
- Partner with development, platform, and supplier teams
- Provide clear remediation guidance
- Train teams on secure coding and application security practices
- Develop training materials
- Conduct security assessments using standard tools
- Track and report risks, milestones, deliverables, and status updates
- Recommend strategies based on application risk posture
Requirements
- Bachelorβs degree in Computer Science, Information Technology, or related field
- 3+ years of hands-on experience in application security, security testing, and DevSecOps
- Application architectures (web, mobile, APIs)
- Software development methodologies (Agile, SDLC)
- Modern programming languages (Java, C#, Python)
- SAST, DAST, IAST, SCA, and mobile security testing tools
- Hands-on experience with secure code review in common languages (Java, C#, Python preferred)
- Compiled code
- Web applications / services
- Mobile app development
- NIST, ISO 27001
- NIST SSDF or similar secure development frameworks
- OWASP Top 10 vulnerabilities and mitigation techniques
- Common attack vectors (web exploits, DDoS, bot attacks)
- Akamai, Cloudflare, AWS WAF, Azure Front Door
- AWS, Azure, GCP
- Containers (Docker, Kubernetes)
- Programming/scripting: Java, JavaScript, SQL, HTML
- Scripting languages (Python, Bash preferred)
- Strong analytical, problem-solving, and communication skills
- Ability to explain technical risks to non-technical audiences
- Experience writing security reports and documentation
- Ability to work independently and cross-functionally
- GIAC GWEB
- ISC2 CSSLP
- EC-Council CASE
- Or equivalent AppSec certifications
Technologies: SAST, DAST, IAST, SCA, Java, C#, Python, JavaScript, SQL, HTML, Bash; Jenkins, GitLab, GitHub Actions, TeamCity; Checkmarx, GitHub Advanced Security, Burp Suite; Akamai, Cloudflare, AWS WAF, Azure Front Door; AWS, Azure, GCP; Docker, Kubernetes; NIST, ISO 27001, NIST SSDF