Back to search
Thorne Linkedin · Posted 1mo ago

Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)

South Carolina, United States

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

Department: Information Technology

Location: Remote

Compensation: $150,000 - $180,000 / year

Description

At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.

The Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) is responsible for designing, implementing, and advancing security across Thorne's digital ecosystem, including Thorne.com, mobile applications, cloud infrastructure, and emerging AI-enabled capabilities. This role serves as a technical leader in application security and DevSecOps, ensuring security is embedded throughout the software development lifecycle while protecting customer data, ecommerce platforms, and cloud-native services.

Working closely with Engineering, Infrastructure, Product, and Digital teams, this individual will develop secure-by-design solutions, automate security controls, and strengthen Thorne's cloud and application security posture. The ideal candidate combines deep expertise in AWS, DevSecOps, and application security with a hands-on approach to vulnerability remediation, security automation, and operational excellence. They are passionate about building resilient, scalable, and secure systems that enable innovation while reducing organizational risk.

Responsibilities

Application & Ecommerce Security

  • Lead application security initiatives across Thorne's ecommerce platforms, mobile applications, APIs, and cloud-native services.
  • Identify, assess, and remediate application vulnerabilities in Java-based applications, including Spring Boot services, microservices, and APIs, while addressing OWASP Top 10 risks and ecommerce-specific threats.
  • Secure critical customer-facing functionality, including checkout, payment processing, subscription services, authentication, and customer data protection.
  • Perform secure code reviews, threat modeling, and architecture assessments to ensure new applications and features are designed with security from the outset.

API & Cloud Security

  • Design and implement secure REST and GraphQL APIs by enforcing authentication, authorization, rate limiting, and secure token management using modern standards such as OAuth2 and JWT.
  • Secure AWS-hosted application environments, including EKS/ECS, EC2, Lambda, API Gateway, S3, and RDS, by implementing cloud security best practices for identity, networking, secrets management, and data protection.
  • Collaborate with Infrastructure teams to ensure application-layer cloud security aligns with enterprise security architecture, governance, and operational standards.

DevSecOps & Security Automation

  • Embed security throughout the software development lifecycle by integrating SAST, DAST, Software Composition Analysis (SCA), secrets scanning, and other automated security controls into CI/CD pipelines.
  • Secure build and deployment processes while establishing automated policy enforcement and secure coding standards.
  • Develop and maintain Infrastructure-as-Code security practices using Terraform and other cloud automation tools.

Threat Detection & Incident Response

  • Implement and optimize runtime security controls, including Web Application Firewalls (WAF), bot mitigation, rate limiting, and application-layer monitoring for ecommerce environments.
  • Partner with Infrastructure and Security Operations teams to improve detection, monitoring, and response capabilities for application attacks, API abuse, and emerging threats.
  • Investigate, prioritize, and remediate security findings identified through penetration testing, purple team exercises, vulnerability assessments, and assumed breach scenarios.

Security Leadership & Collaboration

  • Translate security assessments and vulnerability findings into prioritized engineering initiatives based on business risk and customer impact.
  • Partner with Engineering, Ecommerce, Infrastructure, Product, and external security partners to drive adoption of secure development practices and continuous security improvements.
  • Serve as a trusted security advisor by promoting secure-by-design principles, mentoring engineering teams, and helping build a security-first engineering culture.

Application & Ecommerce Security

  • Identify, assess, and remediate security vulnerabilities across Java-based applications, including Spring Boot services, APIs, and microservices.
  • Protect customer-facing ecommerce platforms by mitigating OWASP Top 10 vulnerabilities and ecommerce-specific threats, including injection attacks (SQL/NoSQL), cross-site scripting (XSS), cross-site request forgery (CSRF), authentication

What You Need

Education & Experience

  • Bachelor's degree in Computer Science, Cybersecurity, Information Systems, Engineering, or a related technical discipline; equivalent professional experience will also be considered.
  • 5+ years of experience in DevSecOps, Security Engineering, DevOps, Application Security, or a related cybersecurity role.
  • Experience securing Java-based web applications, including Spring Boot, microservices, and distributed application architectures.
  • Experience designing and implementing security controls within AWS cloud environments.
  • Experience supporting ecommerce platforms or other high-availability, customer-facing applications is preferred.
  • Professional security certifications such as AWS Security Specialty, CISSP, CSSLP, or comparable certifications are preferred.

Technical Knowledge

  • Deep understanding of secure software development principles, OWASP Top 10 vulnerabilities, and modern application security best practices.
  • Experience implementing DevSecOps controls within CI/CD pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and secrets management.
  • Strong knowledge of API security, including OAuth2, JWT, authentication, authorization, and rate-limiting strategies.
  • Experience securing Infrastructure-as-Code (Terraform preferred) and cloud-native application environments.
  • Familiarity with AWS security services, Web Application Firewalls (WAF), bot mitigation technologies (e.g., Cloudflare), and endpoint security solutions such as CrowdStrike.
  • Experience securing containerized environments, including Kubernetes and Amazon EKS, is preferred.
  • Familiarity with emerging security considerations related to AI-enabled applications and large language models (LLMs) is a plus.

Core Competencies

  • Strong ownership mindset with the ability to lead security initiatives from assessment through remediation and continuous improvement.
  • Ability to balance security, performance, and business objectives while enabling rapid software delivery.
  • Excellent analytical and problem-solving skills with a pragmatic, hands-on approach to addressing complex security challenges.
  • Strong collaboration and communication skills with the ability to partner effectively across Engineering, Ecommerce, Infrastructure, Product, and external security partners.
  • Self-motivated and execution-focused, with the ability to manage multiple priorities in a fast-paced environment.
  • Passion for continuous learning and staying current with evolving cybersecurity threats, technologies, and industry best practices.

What We Offer

  • Competitive compensation
  • 100% company-paid medical, dental, and vision insurance coverage for employees
  • Company-paid short- and long-term disability insurance
  • Company- paid life insurance
  • 401k plan with employer matching contributions up to 4%
  • Gym membership reimbursement
  • Monthly allowance of Thorne supplements
  • Paid time off, volunteer time off and holiday leave
  • Training, professional development, and career growth opportunities

Thorne is the leader in science-backed health and wellness solutions committed to helping individuals live healthier longer. As the top recommended clinical brand by healthcare practitioners, Thorne offers a comprehensive range of products including nutritional supplements and health tests designed to meet the unique needs of individuals at every stage of life. Founded in 1984, Thorne products are formulated with the highest-quality ingredients, supported by clinical research, and rigorously tested to ensure purity, potency, and efficacy. Thorne is trusted by 47,000+ health-care professionals, thousands of professional athletes, more than 100 professional sports teams, multiple U.S. National Teams, and more than five million consumers. For more information, visit Thorne.com.

THORNE IS AN EQUAL OPPORTUNITY EMPLOYER

Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent