Senior Manager, Application Security

About The Position

Requirements

• 8+ years of experience in application security, DevSecOps, cloud security, or secure software engineering.
• 3+ years of experience leading technical teams in high-velocity engineering environments.
• Deep expertise in CI/CD automation, pipeline security, and security-as-code implementation.
• Experience securing cloud-native architectures across AWS, Azure, or GCP environments.
• Strong understanding of secure coding standards, OWASP Top 10, threat modeling, and modern software supply chain risks.
• Experience evaluating, governing, or securing AI-assisted development tools and LLM-powered systems.
• Familiarity with risks unique to AI-enabled systems, including prompt injection, context leakage, model misuse, and autonomous execution control gaps.
• Ability to partner effectively with senior engineering leadership in a fast-scaling, innovation-driven organization.
• Relevant certifications such as CISSP, CSSLP, cloud security credentials, or AI governance certifications preferred.

Nice To Haves

• Direct experience integrating and operating modern AppSec tooling within CI/CD pipelines, including SAST, SCA, container scanning, IaC security, secrets detection, and SBOM generation.
• Strong hands-on capability with secure coding and code review in languages such as Python, Go, TypeScript, or Java, with the ability to guide engineers through remediation and secure design decisions.
• Practical experience securing cloud-native architectures across AWS, Azure, or GCP, including building reusable secure patterns and hardened templates.
• Hands-on work securing AI/LLM systems, including inference endpoints, vector databases, model integration layers, RAG pipelines, and orchestration frameworks (e.g., LangChain, LlamaIndex, or similar).
• Experience testing and mitigating AI system vulnerabilities such as prompt injection, jailbreaks, context leakage, insecure tool execution, hallucinated dependencies, and model misuse risks.
• Experience evaluating and governing AI-assisted developer tools (e.g., GitHub Copilot, Claude Code, Factory AI, Codeium) and validating AI-generated code for security and reliability prior to deployment.
• Familiarity with AI-specific threat modeling methodologies (e.g., STRIDE adaptations for AI systems, MITRE ATLAS) and integrating them into SDLC workflows.
• Proven ability to stand up new security capabilities from the ground up, including tool selection, pipeline automation, documentation, and developer enablement programs.
• Demonstrated credibility working closely with engineers, platform teams, architects, ML/data teams, and product owners to embed security into design and sprint planning.
• Comfort operating as an individual contributor while scaling a team, participating directly in code reviews, pipeline builds, and deep technical reviews.

Responsibilities

• Define and execute QXO’s DevSecOps and Secure AI engineering strategy aligned to enterprise growth and digital transformation objectives.
• Embed automated security controls into CI/CD pipelines, including SAST, DAST, SCA, container scanning, secrets detection, SBOM generation, and infrastructure-as-code validation.
• Design and operationalize secure architecture patterns for APIs, microservices, containers, serverless, and cloud-native applications.
• Partner with engineering and AI teams to secure agentic AI systems, including LLM integration layers, inference endpoints, vector stores, RAG pipelines, orchestration frameworks, and model-to-tool execution pathways.
• Define guardrails to mitigate risks such as prompt injection, jailbreaks, context leakage, hallucinated dependencies, insecure agent execution, and privilege escalation via autonomous systems.
• Ensure AI-generated code and model-integrated features meet secure coding standards and undergo automated validation prior to production deployment.
• Lead application and AI-system vulnerability management, driving measurable reduction in risk and improved remediation velocity.
• Strengthen software supply chain security, including SBOM governance and dependency risk management.
• Build and scale an Application Security / DevSecOps team while fostering a shared security ownership model across engineering.

Benefits

• Annual performance bonus
• 401(k) with employer match
• Medical, dental, and vision insurance
• PTO, company holidays, and parental leave
• Paid Time Off/Paid Sick Leave: Applicants can expect to accrue 15 days of paid time off during their first year (4.62 hours for every 80 hours worked) and increased accruals after five years of service.
• Paid training and certifications
• Legal assistance and identity protection
• Pet insurance
• Employee assistance program (EAP)