Application Security Architect

Irvine, CA - USA

Monthly Salary: Not Disclosed

Posted on: 3 hours ago

Vacancies: 1 Vacancy

Job Summary

Application Security Architect

Must Have Technical/Functional Skills

Hands on AWS application security architecture across EC2 EKS/ECS VPC IAM KMS Secrets Manager WAF/Shield GuardDuty Inspector CloudTrail Config Security Hub.

Threat modeling expertise (e.g. STRIDE) dataflow decomposition and abusecase identification for web API ESB and data migration paths.

Secure SDLC enablement: integrating SAST/DAST SCA container image scanning IaC scanning (e.g. Terraform/CloudFormation) and secret scanning in CI/CD.

Strong command of OWASP Top 10 ASVS dependency risk management and secure coding standards for Java services and APIs.

Container and serverless security: EKS/ECS hardening (IRSA network policies admission controls) ECR scanning Lambda least privilege and event security.

Identity & access design: IAM roles SCPs org guardrails role segmentation (RBAC/ABAC) federation (SAML/OIDC) and JIT access patterns.

Database security: Oracle 19c/Exadata encryption (TDE) DB network encryption key management privileged access controls and SQL audit strategies.

TIBCO ESB security: mTLS TLS 1.2 credential/secret handling payload validation and API & integration governance.

OS hardening knowledge for Windows Server 2016/2019/2022/2025 and RHEL 7/8/9 (CIS benchmarks patching endpoint controls).

Clear communicator and coach for dev/DevOps/SRE teams; adept at risk articulation tradeoff decisions and executive level reporting.

Roles & Responsibilities

Lead the security architecture for the data center exit defining secure landing zone patterns reference architectures and migration guardrails.

Perform threat models (STRIDE) for target architectures: web/API tiers TIBCO integrations data pipelines and database migration flows to Exadata on AWS.

Embed security controls into SDLC: codify policies for SAST/DAST/SCA container/IaC scanning and enforce breakglass/approval workflows in CI/CD.

Design identity and access patterns: leastprivilege IAM roles finegrained segmentation secrets rotation and crossaccount access governance.

Define network security: VPC design segmentation Security Groups/NACLs PrivateLink TGW WAF/Shield policies and egress controls for EC2/EKS.

Establish data protection: KMS/HSM key hierarchies envelope encryption TDE for Oracle tokenization/masking where needed and secure backups/replication.

Drive cloud security monitoring & IR: CloudTrail/Config/GuardDuty/Security Hub alerting log centralization (e.g. CloudWatch SIEM) and playbooks/runbooks.

Conduct risk assessments and design reviews align to OWASP Top 10 NIST/ISO control families and document residual risks & compensating controls.

Partner with DB app and integration teams to secure migration tooling (e.g. replication cutover paths) validate rollback and perform pregolive pen tests.

Coach engineers via secure patterns (sample code/policies/Helm/Kyverno/Gatekeeper) lead readiness reviews and track remediation to closure.

Cloud Experience Needed

Proven onprem AWS migration experience for large application portfolios including EC2hosted Java/.NET and Oracle 19c Exadata on AWS transitions.

Demonstrated design/implementation of AWS Landing Zone/Organizations SCP guardrails account baselining and multiaccount segmentation strategies.

Practical use of AWS security services: IAM KMS Secrets Manager Certificate Manager WAF/Shield GuardDuty Inspector Security Hub Macie CloudTrail Config.

Container security on EKS/ECS: IRSA Pod Security Standards network policies admission controls (OPA/Gatekeeper/Kyverno) and ECR scanning.

CI/CD security automation: integrating SAST/DAST/SCA IaC scanners (Terraform/CFN) container scanning and policyascode into pipelines.

Network architecture on AWS: VPCs subnets route tables NAT/IGW PrivateLink Transit Gateway interVPC segmentation and zerotrust patterns.

Database migration security: encryption in transit/at rest key rotation privileged access audit logging and secure replication/cutover strategies.

TIBCO ESB in cloud: TLS/mTLS credential vaulting secure connector patterns API governance and monitoring/observability for integrations.

Experience hardening Windows Server () and RHEL (7 9) images (CIS) patch baselines EDR/antimalware and golden AMI pipelines.

Evidence of governance at scale: compliance mapping (OWASP Top 10 NIST/ISO) risk registers executive reporting and continuous control monitoring.

Salary Range- $120000-$140000 a year

Application Security Architect Must Have Technical/Functional Skills Hands on AWS application security architecture across EC2 EKS/ECS VPC IAM KMS Secrets Manager WAF/Shield GuardDuty Inspector CloudTrail Config Security Hub. Threat modeling expertise (e.g. STRIDE) dataflow decompositio...