Lead Application Security Engineer

Title: Lead Application Security Engineer - 19562

Location:

• Atlanta GA
• Long Island NY

Full time

Job Description:

Company

Cox Automotive - USA

Job Family Group

Information Technology

Job Profile

Cybersecurity Lead Engineer

Management Level

Manager - Non People Leader

Flexible Work Option

Hybrid - Ability to work remotely part of the week

Travel %

Yes, 5% of the time

Work Shift

Day

Compensation

Compensation includes a base salary of $119,600.00 - $199,400.00. The base salary may vary within the anticipated base pay range based on factors such as the ultimate location of the position and the selected candidate’s knowledge, skills, and abilities. Position may be eligible for additional compensation that may include an incentive program.

Job Description

The Lead Application Security Engineer will partner with Security Engineering Enablement and Security Architecture to design and ship secure software: secure code reviews and help define requirements on prerelease control validation (SAST/DAST/SCA, API security, Container/IaC scans).  Drive fix-first coaching—turn findings into clear remediation guidance and code examples, to help teams remediate security findings. 

The team is the Center of Excellence (COE) for Application Security, Web Application Firewalls and Cloud Security. In this capacity, the Lead AppSec Engineer can provide advice and guidance to teams in these areas to support the established standards and policies, in the form of Office Hours, Brown Bags or team consultation sessions.

Primary Responsibilities:

• Operate, administer, and continuously improve our off the shelf AppSec and CloudSec tools (WAF infrastructure management, user onboarding, policy/config, integrations).
• Triage and disposition vulnerabilities across SAST/DAST/SCA/API/IaC/CSPM sources; lead false positive reviews and suppression/exception workflows with strong audit trails.
• Partner with Cloud Platform teams to harden AWS/Azure/GCP environments using CSPM/CNAPP controls, guardrails, and baselines; guide secure patterns for serverless, containers/Kubernetes, and secrets management.
• Support system administration, configuration, and maintenance for the AppSec/CloudSec/WAF toolset (identity/roles, agent health, connectors, backups, upgrades, and DR testing).
• Evaluate security tools on an ongoing basis, to ensure we are leveraging the best toolset that meets the enterprise's needs
• Serve as first-line triage for Responsible Disclosure submissions, reproduce issues, determine severity/impact, assign owners/SLAs, and track to closure.
• Ensure consistent communications with Responsible Disclosure reporters and internal stakeholders and maintain accurate records for compliance.
• Use scripting/automation (Python, PowerShell, Bash, REST APIs, Terraform modules, GitHub Actions/Azure DevOps/GitLab CI) for ad hoc fixes and to reduce toil (bulk policy changes, project provisioning, baseline exceptions, report consolidation).
• Stakeholder for helping design Secure Pipelines to be implemented by the Security Engineering Enablement team

Minimum Qualifications:

• Bachelor’s degree in a related discipline and 6 years’ experience in a related field. The right candidate could also have a different combination, such as a master’s degree and 4 years’ experience; a Ph.D. and 1 year of experience; or 18 years’ experience in a related field
• 2 years in Application / Product security or software engineering with a strong security focus.
• Hands on depth with modern SDLC/DevSecOps in cloud-native environments: microservices, APIs, containers/Kubernetes, serverless, IaC (Terraform/CloudFormation/ARM/Bicep), and CI/CD integration.
• Practical expertise operating and tuning SAST, DAST, SCA, API testing, IaC/container scanners, plus CNAPP for multi cloud.
• Scripting/automation proficiency (Python preferred; PowerShell/Bash nice) and REST API integration skills; able to create quick utilities and pipeline jobs to reduce manual effort.
• Strong knowledge of OWASP Top 10, ASVS, SAMM, NIST SSDF, CSA CCM, secure design patterns, cryptography fundamentals, authN/Z (OAuth2/OIDC/JWT), and common web/API vulns and mitigations.
• Experience triaging responsible disclosure or bug bounty reports and driving coordinated remediation with product teams.
• Excellent communicator who can simplify complex risk for engineers and leaders; bias to action and measurable outcomes.
• Familiarity with software supply chain security (SBOMs, signing, provenance, dependency risk) and runtime protection (RASP, WAF/WL, EDR for containers).
• Strong understanding of cloud architecture and infrastructure
• Collaborate with AI agents to build, test, and deploy software across the SDLC, by using proper contextual inputs to improve AI understanding and output quality.
• Implement AI-powered features and pipelines in our software
• Contribute to prompt engineering experimentation and share tool usage insights.
• Define coding standards, review practices, and ethical guidelines for AI use.
• Mentor peers and coach junior team members on AI-augmented development.

Preferred skills:

• WAF engineering experience (policy design, tuning, false positive management, bot/rate limit controls, logging/observability, blue/green rollout).
• Certifications (e.g., CISSP, CSSLP, GWAPT, GCSA, GCP/AWS/Azure security) are a plus.
• Experience with API security (OWASP API Top 10), Proactive Threat Response, Responsible Disclosure workflows is a plus.

Drug Testing

To be employed in this role, you’ll need to clear a pre-employment drug test. Cox Automotive does not currently administer a pre-employment drug test for marijuana for this position. However, we are a drug-free workplace, so the possession, use or being under the influence of drugs illegal under federal or state law during work hours, on company property and/or in company vehicles is prohibited.

Benefits

The Company offers eligible employees the flexibility to take as much vacation with pay as they deem consistent with their duties, the company’s needs, and its obligations; seven paid holidays throughout the calendar year; and up to 160 hours of paid wellness annually for their own wellness or that of family members. Employees are also eligible for additional paid time off in the form of bereavement leave, time off to vote, jury duty leave, volunteer time off, military leave, and parental leave.

About Us

Through groundbreaking technology and a commitment to stellar experiences for drivers and dealers alike, Cox Automotive employees are transforming the way the world buys, owns, sells – or simply uses – cars. Cox Automotive employees get to work on iconic consumer brands like Autotrader and Kelley Blue Book and industry-leading dealer-facing companies like vAuto and Manheim, all while enjoying the people-centered atmosphere that is central to our life at Cox. Benefits of working at Cox may include health care insurance (medical, dental, vision), retirement planning (401(k)), and paid days off (sick leave, parental leave, flexible vacation/wellness days, and/or PTO). For more details on what benefits you may be offered, visit our benefits page. Cox is an Equal Employment Opportunity employer – All qualified applicants/employees will receive consideration for employment without regard to that individual’s age, race, color, religion or creed, national origin or ancestry, sex (including pregnancy), sexual orientation, gender, gender identity, physical or mental disability, veteran status, genetic information, ethnicity, citizenship, or any other characteristic protected by law. Cox provides reasonable accommodations when requested by a qualified applicant or employee with disability, unless such accommodations would cause an undue hardship.