Key Responsibilities
- Application & Architecture Security
- Review and approve security architecture for applications built on microservices architectures, including service-to-service communication, API gateways, event-driven components, and shared platform services deployed in AWS.
- Assess security risks in new application functionalities, major architectural changes, and technology introductions, ensuring security is embedded early in the SDLC.
- Define and enforce secure-by-design principles across application development teams.
- Review and guide application authentication and authorization designs, including OAuth 2.0, OpenID Connect, token-based authentication, and identity federation models.
- Ensure consistent, scalable, and secure identity patterns for internal services, external clients, and partner integrations.
- Provide architectural oversight on secrets management, token lifecycles, and access control models.
- Develop and maintain security architecture patterns for client-facing and partner integrations, including APIs, webhooks, and third-party service connections.
- Review integration security controls such as authentication, authorization, encryption, rate limiting, data minimization, and abuse prevention.
- Ensure integration designs balance strong security with performance and developer experience.
- Threat Modeling & Risk Assessment
- Lead and perform threat modeling for all critical applications and systems, identifying attack vectors, trust boundaries, and security control gaps.
- Translate threat modeling outcomes into actionable security requirements, architectural changes, and engineering guidance.
- Maintain risk-based prioritization of remediation efforts aligned with business criticality.
- Define reusable application security architecture patterns, reference designs, and guardrails to be adopted across teams.
- Provide security design reviews and architectural sign-off for high-risk or business-critical systems.
- Partner with engineering leadership to embed security patterns into platform services and shared tooling.
- Act as a senior security partner to Engineering, Product, Platform, and Cloud teams.
- Mentor application security engineers and influence secure engineering practices at scale.
- Represent application security architecture in senior leadership forums and technical design reviews.
Requirements
- Bachelor's degree in Computer Science, Information Security, or related field. Relevant certifications (e.g., CISSP, GIAC) are a plus.
- 12+ years in cyber security/information security
- Experience securing financial services, payments, or regulated technology platforms.
- Familiarity with DevSecOps practices and integrating security into CI/CD pipelines.
- Deep experience securing microservices-based applications deployed in AWS environments.
- Strong understanding of API security, service-to-service authentication, and distributed system risks.
- Proven understanding of OAuth 2.0, OpenID Connect, and modern authentication/authorization models.
- Hands-on experience conducting threat modelling for complex, distributed systems.
- Ability to design and govern end-to-end application security architectures, including internal services and external integrations.
- Experience creating and scaling security architecture patterns and reference designs.
- Strong understanding of cloud-native security controls and shared responsibility models.
