Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)
Indexed description
Location: Remote
Compensation: $150,000 - $180,000 / year
Description
At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.
The Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) is responsible for designing, implementing, and advancing security across Thorne's digital ecosystem, including Thorne.com, mobile applications, cloud infrastructure, and emerging AI-enabled capabilities. This role serves as a technical leader in application security and DevSecOps, ensuring security is embedded throughout the software development lifecycle while protecting customer data, ecommerce platforms, and cloud-native services.
Working closely with Engineering, Infrastructure, Product, and Digital teams, this individual will develop secure-by-design solutions, automate security controls, and strengthen Thorne's cloud and application security posture. The ideal candidate combines deep expertise in AWS, DevSecOps, and application security with a hands-on approach to vulnerability remediation, security automation, and operational excellence. They are passionate about building resilient, scalable, and secure systems that enable innovation while reducing organizational risk.
Responsibilities
Application & Ecommerce Security
- Lead application security initiatives across Thorne's ecommerce platforms, mobile applications, APIs, and cloud-native services.
- Identify, assess, and remediate application vulnerabilities in Java-based applications, including Spring Boot services, microservices, and APIs, while addressing OWASP Top 10 risks and ecommerce-specific threats.
- Secure critical customer-facing functionality, including checkout, payment processing, subscription services, authentication, and customer data protection.
- Perform secure code reviews, threat modeling, and architecture assessments to ensure new applications and features are designed with security from the outset.
- Design and implement secure REST and GraphQL APIs by enforcing authentication, authorization, rate limiting, and secure token management using modern standards such as OAuth2 and JWT.
- Secure AWS-hosted application environments, including EKS/ECS, EC2, Lambda, API Gateway, S3, and RDS, by implementing cloud security best practices for identity, networking, secrets management, and data protection.
- Collaborate with Infrastructure teams to ensure application-layer cloud security aligns with enterprise security architecture, governance, and operational standards.
- Embed security throughout the software development lifecycle by integrating SAST, DAST, Software Composition Analysis (SCA), secrets scanning, and other automated security controls into CI/CD pipelines.
- Secure build and deployment processes while establishing automated policy enforcement and secure coding standards.
- Develop and maintain Infrastructure-as-Code security practices using Terraform and other cloud automation tools.
- Implement and optimize runtime security controls, including Web Application Firewalls (WAF), bot mitigation, rate limiting, and application-layer monitoring for ecommerce environments.
- Partner with Infrastructure and Security Operations teams to improve detection, monitoring, and response capabilities for application attacks, API abuse, and emerging threats.
- Investigate, prioritize, and remediate security findings identified through penetration testing, purple team exercises, vulnerability assessments, and assumed breach scenarios.
- Translate security assessments and vulnerability findings into prioritized engineering initiatives based on business risk and customer impact.
- Partner with Engineering, Ecommerce, Infrastructure, Product, and external security partners to drive adoption of secure development practices and continuous security improvements.
- Serve as a trusted security advisor by promoting secure-by-design principles, mentoring engineering teams, and helping build a security-first engineering culture.
- Identify, assess, and remediate security vulnerabilities across Java-based applications, including Spring Boot services, APIs, and microservices.
- Protect customer-facing ecommerce platforms by mitigating OWASP Top 10 vulnerabilities and ecommerce-specific threats, including injection attacks (SQL/NoSQL), cross-site scripting (XSS), cross-site request forgery (CSRF), authentication
- Bachelor's degree in Computer Science, Cybersecurity, Information Systems, Engineering, or a related technical discipline; equivalent professional experience will also be considered.
- 5+ years of experience in DevSecOps, Security Engineering, DevOps, Application Security, or a related cybersecurity role.
- Experience securing Java-based web applications, including Spring Boot, microservices, and distributed application architectures.
- Experience designing and implementing security controls within AWS cloud environments.
- Experience supporting ecommerce platforms or other high-availability, customer-facing applications is preferred.
- Professional security certifications such as AWS Security Specialty, CISSP, CSSLP, or comparable certifications are preferred.
- Deep understanding of secure software development principles, OWASP Top 10 vulnerabilities, and modern application security best practices.
- Experience implementing DevSecOps controls within CI/CD pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and secrets management.
- Strong knowledge of API security, including OAuth2, JWT, authentication, authorization, and rate-limiting strategies.
- Experience securing Infrastructure-as-Code (Terraform preferred) and cloud-native application environments.
- Familiarity with AWS security services, Web Application Firewalls (WAF), bot mitigation technologies (e.g., Cloudflare), and endpoint security solutions such as CrowdStrike.
- Experience securing containerized environments, including Kubernetes and Amazon EKS, is preferred.
- Familiarity with emerging security considerations related to AI-enabled applications and large language models (LLMs) is a plus.
- Strong ownership mindset with the ability to lead security initiatives from assessment through remediation and continuous improvement.
- Ability to balance security, performance, and business objectives while enabling rapid software delivery.
- Excellent analytical and problem-solving skills with a pragmatic, hands-on approach to addressing complex security challenges.
- Strong collaboration and communication skills with the ability to partner effectively across Engineering, Ecommerce, Infrastructure, Product, and external security partners.
- Self-motivated and execution-focused, with the ability to manage multiple priorities in a fast-paced environment.
- Passion for continuous learning and staying current with evolving cybersecurity threats, technologies, and industry best practices.
- Competitive compensation
- 100% company-paid medical, dental, and vision insurance coverage for employees
- Company-paid short- and long-term disability insurance
- Company- paid life insurance
- 401k plan with employer matching contributions up to 4%
- Gym membership reimbursement
- Monthly allowance of Thorne supplements
- Paid time off, volunteer time off and holiday leave
- Training, professional development, and career growth opportunities
THORNE IS AN EQUAL OPPORTUNITY EMPLOYER
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search