Lead Application Security Engineer
Senior
Api Security
Application Security
Cloud Platforms
Cybersecurity Tools
Engineering
Information Security
Information Technology (IT)
InfoSec
Java Language
Programming Language
Programming Languages
Risk Management
Security
Security Automation
Security Testing
Software Engineer
Software Engineering
Solution Architecture
Technical Lead
Job Description
What Carter's offers
This onsite leadership role places you at the helm of the enterprise AppSec program from a cybersecurity standpoint, with hands-on responsibilities in AI security. Based in Atlanta, GA, you will collaborate closely with engineering leadership to embed security into system design and SDLC processes, driving measurable improvements in risk reduction and security maturity. The position provides a clear path to influence architecture decisions, security tooling, and governance across the organization, while representing IT Security in audits and cross-functional planning.
Responsibilities
- Define and own the enterprise application security architecture, standards, and secure-by-default patterns
- Establish and maintain the AppSec tooling strategy, assess vendors, and champion adoption across engineering teams
- Lead threat modeling sessions for critical applications and new product features
- Serve as the final technical authority on AppSec decisions, including security design reviews and architecture signoffs
- Oversee advanced secure code reviews, SAST/DAST assessments, and manual penetration testing across web, mobile, and API surfaces
- Own API security standards for REST and GraphQL, enforcing OWASP API Top 10 controls and authentication/authorization design patterns
- Drive vulnerability triage, risk prioritization, and remediation accountability across development teams at scale
- Own the DevSecOps toolchain, designing, deploying, and maturing security gates within enterprise CI/CD pipelines
- Partner with engineering leadership to embed security into system design, SDLC processes, and platform decisions
- Continuously improve AppSec metrics, dashboards, and KPIs to demonstrate program maturity and risk reduction
- Hands-on development and deployment of AI-powered security tooling and automation, such as AI-assisted code review or threat detection
- Secure AI/ML integrations and connectors by assessing prompt injection, data leakage, model supply chain, and third‑party risks
- Develop and enforce AI governance policies, defining acceptable use, security review gates, and risk acceptance criteria
- Represent the IT Security team in architecture reviews, cross-functional planning, and executive risk reporting
- Maintain security policy and standards documentation relevant to application security, AI use, and API governance
- Lead AppSec representation in PCI DSS, NIST, and OWASP compliance audits and evidence collection
Requirements
- 5+ years in application security, software engineering, or secure code review
- Strong proficiency in one or more languages such as Python, Java, JavaScript, or Go, with capability for deep code review and threat modeling
- Experience with SAST/DAST tooling (Snyk, SonarQube, Semgrep, Checkmarx, Burp Suite, OWASP ZAP) and ownership of AppSec program design
- Effective communicator with the ability to present to multilevel stakeholders
- Demonstrated ability to meet deadlines and collaborate with management across disciplines
- Proven collaboration with cross-functional teams
- Willingness to perform on-call duties during off-hours and holidays
- Adaptable and flexible attitude toward changing business needs
- Bachelor's degree in computer science or a related field
- Experience leading or conducting red team, penetration testing, or adversarial simulations
- Experience designing and scaling security observability pipelines, including log analysis and application-layer telemetry
- Working knowledge of PCI-DSS, NIST, OWASP, and other frameworks; experience representing security in audits
- Proven track record securing cloud-native or hybrid-cloud environments (AWS, Azure, or GCP)
- Hands-on experience building, deploying, or integrating AI/ML tools, with ability to assess and govern their security posture (prompt injection, data leakage, model supply chain risks)
- Ability to define and enforce security standards across engineering organizations; prior experience owning a security capability or domain
- Security certifications such as Security+, ISC2 CC, CompTIA A+, CompTIA Network+, SSCP, CCT, GWEB, CSSLP, CEH, or OSCP
Technologies
- Python
- Java
- JavaScript
- Go
- Snyk
- SonarQube
- Semgrep
- Checkmarx
- Burp Suite
- OWASP ZAP
- REST
- GraphQL
- AWS
- Azure
- GCP
- PCI-DSS
- NIST
- OWASP
Travel
- Open to travel between Carter's offices as needed