Back to search
University Information Technology - Indiana Wesleyan University Linkedin · Posted 5d ago

Senior Application Security Engineer Consultant

Indianapolis

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

IWU is seeking a Senior Application Security Engineer Consultant (Independent Contractor ‑ 1099 / Contract-to-Hire) for a large-scale technology reorganization project.


ABOUT IWU TECHNOLOGY


ABOUT THE ROLE:

  • IWU is re-platforming its enterprise on a multi-site, active/active data center foundation and an AI-first application stack. Security must be embedded in how software is designed, built, tested, and shipped – not bolted on after release. We are seeking a Senior Application Security Engineer Consultant with deep AI application security experience to stand up secure SDLC practices, integrate security tooling into CI/CD pipelines, and partner with development teams building traditional applications and AI-native services alike.
  • This is not a cloud AppSec role. IWU runs workloads on infrastructure we own and operate in commercial colocation, with Microsoft Entra ID as our only sanctioned external service. You will embed security into on-premises pipelines – source control, build systems, artifact registries, Kubernetes deployments, and API gateways – while addressing threats unique to LLM applications: prompt injection, insecure output handling, excessive agency, training-data leakage, and model supply-chain risk.
  • You will be a hands-on senior individual contributor: you will translate industry application security standards into pipeline gates and developer guardrails, perform threat modeling and code review for high-risk changes, mentor engineers on secure coding, and partner with IAM, the Enterprise AI Architect, and platform teams to keep our re-platforming program auditable and defensible.


Secure SDLC and Developer Enablement

  • Recommend and implement the secure software development lifecycle (SSDLC) – requirements, design review, implementation, verification, release, and maintenance – aligned to organizational standards and ITIL change control.
  • Publish secure coding standards and language-specific guidance (.NET, Python, JavaScript/TypeScript, React, SQL) that development teams can adopt without slowing delivery.
  • Lead threat modeling sessions (STRIDE, PASTA, or equivalent) for new features, integrations, and AI workflows – document trust boundaries, data flows, and mitigations before code ships.
  • Run security design and architecture reviews for application, API, and microservice changes – partner with solution designers and tech leads on trade-offs that are secure and shippable.
  • Build developer security training – onboarding modules, lunch-and-learns, and just-in-time guidance tied to real findings from our codebase.


AI Application and LLM Security

  • Establish AI/LLM application security standards in partnership with the Enterprise AI Architect – OWASP LLM Top 10 mitigations, prompt and output guardrails, tool-use authorization, and human-in-the-loop controls for high-risk actions.
  • Review RAG and agent architectures for data exfiltration, prompt injection, indirect prompt injection, and cross-tenant leakage – embedding pipelines, vector store access controls, and retrieval boundaries.
  • Partner on AI observability and logging for security – prompt/output retention policies, audit trails, content filtering events, and evidence collection for governance reviews.


Identity, API, and Data Protection

  • Partner with IAM on application authentication and authorization patterns – OIDC/SAML integration, OAuth scopes, service accounts, workload identity, and least-privilege API access aligned to Entra ID and on-premises IdP standards.
  • Ensure applications handle regulated and sensitive data appropriately – FERPA, HIPAA, PCI-DSS, and SOC 2 controls for encryption at rest and in transit, logging, retention, and access auditing.
  • Coordinate with Database and Data Platform teams on SQL injection prevention, parameterized queries, ORM safety, and secure access to vector and relational stores.


Incident Response and Governance

  • Participate in security incident response for application-layer events – credential compromise, injection attacks, dependency exploits, and AI-specific abuse – with runbooks and post-incident review.
  • Contribute audit and compliance evidence – SSDLC artifacts, scan results, remediation SLAs, and penetration test closure reports for SOC 2, SOX, and institutional audits.
  • Align with ITIL change and problem management – security defects tracked to root cause, not one-off hotfixes that return next sprint.


WHAT WE ARE LOOKING FOR:

Required

  • According to Indiana Wesleyan University policy, all employees and contract-to-hire contractors must possess a strong Christian commitment and adhere to the standards outlined in the IWU Community Lifestyle Statement.
  • 5+ years of progressive experience in application security, secure software development, or security engineering, with 2+ years embedding security into CI/CD and developer workflows.
  • Strong secure coding foundation – common vulnerability classes (injection, XSS, CSRF, SSRF, deserialization, auth flaws) and how to prevent them in modern web and API stacks.
  • Experience with threat modeling and security architecture review for distributed applications – microservices, APIs, message queues, and event-driven integrations.
  • Hands-on familiarity with containers and Kubernetes security – image scanning, pod security standards, network policies, secrets management, and deployment hardening.
  • Working knowledge of AI/LLM application security – OWASP LLM Top 10, prompt injection mitigations, RAG security considerations, and guardrail patterns for production LLM features.
  • Experience supporting compliance-driven development – SOC 2, SOX, HIPAA, PCI-DSS, or FERPA-aligned controls with audit-ready documentation.
  • Bachelor's degree in Information Security, Computer Science, or a related field – or equivalent demonstrated experience.


Strongly Preferred

  • Experience securing on-premises or colocation application platforms – not solely SaaS or hyperscaler-native deployments.
  • Hands-on development background in .NET, Python, or JavaScript/TypeScript/Node/React – you have shipped code and know where developers cut corners under deadline pressure.
  • Experience with API gateways, service meshes, and zero-trust application patterns in Kubernetes.
  • Familiarity with Microsoft Entra ID application integration – app registrations, OAuth/OIDC flows, conditional access implications for custom apps.
  • Experience with AI agent and orchestration frameworks and their security operational realities.
  • Background in red teaming, penetration testing coordination, or bug bounty program support – you can read a finding and know whether the fix is real.
  • Relevant certifications (CSSLP, GWAPT, OSWE, SC-200, or equivalent demonstrated depth).


How You Work

  • You prioritize risk over checkbox compliance – not every finding deserves a Sev-1, and not every audit control deserves a bespoke spreadsheet.
  • You automate repeatable checks and reserve human review for judgment calls – architecture, AI abuse cases, and novel integration risk.
  • You stay current on AI security research and OWASP guidance – the threat model for LLM applications is evolving monthly, and you translate that into practical standards.


WHY THIS ROLE?

  • Foundational impact. Application security is on the critical path for enterprise re-platforming, AI-native products, and integration hub delivery – every team ships through the standards you help define.
  • AI-native scope. You are not retrofitting AppSec onto a legacy monolith only – you will shape security for RAG, agents, and model-serving workloads from early design.
  • Cross-functional seat. You work with Security, IAM, AI Architecture, Data, and Software Engineering – broad visibility and direct influence on how the re-platforming ships safely.
  • Mission and meaning. IWU is a century-old Christ-centered university serving roughly 15,000 learners. The applications you help secure carry their data, their progress, and their trust.


PROJECT REMUNERATION:

Estimated annual project remuneration is $155,000 - $175,000 for this independent contractor (1099) / Contract-to-Hire role.


Contractor Insurance/Bond Requirements

  • General Liability: $1m per occurrence / $2m aggregate
  • Cyber Liability: $2m per occurrence
  • Workers’ Compensation / Employers’ Liability: $500,000; not applicable for approved sole operators
  • Professional Liability / Errors & Omissions: $1m per occurrence / $3m aggregate


Equipment & Travel Expenses

  • IWU will provide required equipment and software. Personal devices and software are generally not permitted for assigned work unless approved by IWU.
  • IWU will pay for required and approved travel and other expenses.
  • Specific policies, rules, and details will be included in the executed contract.


Engagement Process

  1. Easy-Apply on LinkedIn
  2. LinkedIn Survey
  3. Phone Screen
  4. Video Interviews
  5. On-Site Interview/Tour
  6. Contract Engagement Begins


Compliance & Disclaimers

IWU is an equal opportunity employer committed to compliance with Title VII of the Civil Rights Act of 1964, Title IX of the Educational Amendments of 1972 and Section 504 of the Rehabilitation Act of 1973 or other federal, state, or local laws or executive orders except as claimed in a filed religious exemption.


Indiana Wesleyan University is managing this search directly. Third-party recruiters, staffing agencies, search firms, subcontracting firms, and candidate marketers may not submit candidates for this role unless they have a current, written agreement with IWU that specifically authorizes recruitment support for this opening.


Unsolicited candidate submissions will not create any obligation, fee, commission, placement right, or ownership claim. Any candidate submitted without prior written authorization may be contacted directly by IWU and considered without payment of any recruiting or placement fee.


Candidates must apply directly through this LinkedIn posting or the official IWU application process. This role does not authorize third-party representation, bench submissions, or agency-to-agency candidate referrals.

Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent