Himalayas Remote / WFH Teknologi & IT Full Time

Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)

Thorne

Canada, Denmark, Finland, Germany, Ireland, Netherlands, Norway, Sweden, United Kingdom, United States USD 150.000 – 180.000 Diposting 11 jam lalu
Lokasi Canada, Denmark, Finland, Germany, Ireland, Netherlands, Norway, Sweden, United Kingdom, United States
Gaji USD 150.000 – 180.000
Tipe Kerja Full Time · Remote
Negara Jerman
Lamar Sekarang

Deskripsi Pekerjaan

Informasi lengkap tentang posisi dan persyaratan

Ringkasan Yukerja

Lowongan Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) di Thorne kami kurasi dari Himalayas (kategori Teknologi & IT). Posisi ini ditandai sebagai remote — pastikan timezone dan syarat lokasi kandidat di deskripsi resmi. Yukerja.com bukan pemberi kerja — lamaran diproses di situs sumber resmi.

At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.Thorne is seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle.

RESPONSIBILITIES


Application & Ecommerce Security · Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices) · Address OWASP Top 10 and ecommerce-specific risks, including: o Injection (SQL/NoSQL), XSS, CSRF
o Broken authentication / session management
o Business logic flaws (checkout, pricing, promotions, abuse scenarios)
o Account takeover, credential stuffing, bot attacks
· Secure checkout flows, payment integrations, subscriptions, and customer data handling
· Conduct secure code reviews and support threat modeling for new features
API & Integration Security
· Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
· Prevent API abuse, scraping, and data exfiltration
· Implement and enforce secure patterns (OAuth2, JWT, token management)
DevSecOps & CI/CD Security
· Implement and manage security tooling in CI/CD pipelines:
o SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
· Secure build and deployment pipelines
· Enforce secure coding standards and automate policy checks
· Own infrastructure-as-code security (Terraform) for app environments
AWS Cloud Security (Critical)
· Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
· Implement and validate:
o IAM roles and least privilege access
o Network segmentation (VPCs, security groups, private/public boundaries)
o Secrets management (AWS Secrets Manager, Parameter Store)
o Data protection (encryption at rest/in transit)
· Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Runtime Protection & Detection
· Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
· Partner with Infra on CrowdStrike coverage for application workloads
· Support detection and response improvements for:
o Web/app-layer attacks
o API abuse
· Triage and remediate findings from:
o Pen tests
o Purple team exercises
o Assumed breach scenarios
Security Program Execution
· Translate security findings into prioritized engineering work
· Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
· Drive adoption of security best practices across engineering teams
· Act as a bridge between Ecom, Infrastructure, and external security partners

WHAT YOU NEED


Application & Ecommerce Security · Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices) · Address OWASP Top 10 and ecommerce-specific risks, including:
  • Injection (SQL/NoSQL), XSS, CSRF
  • Broken authentication / session management
  • Business logic flaws (checkout, pricing, promotions, abuse scenarios)
  • Account takeover, credential stuffing, bot attacks
· Secure checkout flows, payment integrations, subscriptions, and customer data handling · Conduct secure code reviews and support threat modeling for new features
API & Integration Security · Secure REST/GraphQL APIs (authentication, authorization, rate limiting) · Prevent API abuse, scraping, and data exfiltration · Implement and enforce secure patterns (OAuth2, JWT, token management) DevSecOps & CI/CD Security · Implement and manage security tooling in CI/CD pipelines:
  • SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
· Secure build and deployment pipelines · Enforce secure coding standards and automate policy checks · Own infrastructure-as-code security (Terraform) for app environments AWS Cloud Security (Critical) · Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS) · Implement and validate:
  • IAM roles and least privilege access
  • Network segmentation (VPCs, security groups, private/public boundaries)
  • Secrets management (AWS Secrets Manager, Parameter Store)
  • Data protection (encryption at rest/in transit)
· Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security Runtime Protection & Detection· Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces · Partner with Infra on CrowdStrike coverage for application workloads · Support detection and response improvements for:
  • Web/app-layer attacks
  • API abuse
· Triage and remediate findings from:
  • Pen tests
  • Purple team exercises
  • Assumed breach scenarios
Security Program Execution · Translate security findings into prioritized engineering work · Partner with external security testing partners on risk prioritization (CTRM) tied to business impact · Drive adoption of security best practices across engineering teams · Act as a bridge between Ecom, Infrastructure, and external security partners

WHAT WE OFFER

  • Competitive compensation
  • 100% company-paid medical, dental, and vision insurance coverage for employees
  • Company-paid short- and long-term disability insurance
  • Company- paid life insurance
  • 401k plan with employer matching contributions up to 4%
  • Gym membership reimbursement
  • Monthly allowance of Thorne supplements
  • Paid time off, volunteer time off and holiday leave
  • Training, professional development, and career growth opportunities

Originally posted on Himalayas

Sumber: Himalayas Diperbarui 10 menit lalu 6 kali dilihat

Disclaimer: Yukerja.com adalah agregator lowongan kerja, bukan pemberi kerja. Lowongan ini diagregasi dari Himalayas. Proses lamaran dilakukan di situs resmi perusahaan atau portal sumber. Kami tidak bertanggung jawab atas keakuratan informasi lowongan.

Tips Melamar Senior DevSecOps / Security Engineer – Application & Cloud (…

  1. Baca deskripsi lengkap dan pastikan skill Anda match sebelum melamar ke Thorne.
  2. Sesuaikan CV dan cover letter dengan kata kunci dari job description — terutama untuk kategori Teknologi & IT.
  3. Klik Lamar Sekarang untuk diarahkan ke Himalayas. Proses rekrutmen sepenuhnya di situs sumber.
  4. Siapkan portfolio atau LinkedIn yang update jika diminta di tahap screening.
  5. Waspadai permintaan transfer uang — lowongan resmi tidak memungut biaya.

Artikel terkait: CV ATS · Blog Karir & Tips