{"schemaVersion":"jobsearcher.job.v1","id":"2ab996165494f15babaaefe1","url":"https://jobsearcher.com/jobs/2ab996165494f15babaaefe1","canonicalUrl":"https://jobsearcher.com/jobs/2ab996165494f15babaaefe1","title":"Senior DevSecOps / Security Engineer - Application & Cloud (Ecommerce)","description":"Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)\nDepartment: Information Technology\n\nEmployment Type: Full Time\n\nLocation: Remote\n\nCompensation: $150,000 - $180,000 / year\n\nDescription\nAt Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.\n\nThorne is seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle.\n\nRESPONSIBILITIES\n\nApplication & Ecommerce Security: Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)\n\nAddress OWASP Top 10 and ecommerce-specific risks, including:\n\nInjection (SQL/NoSQL), XSS, CSRF\n\nBroken authentication / session management\n\nBusiness logic flaws (checkout, pricing, promotions, abuse scenarios)\n\nAccount takeover, credential stuffing, bot attacks\n\nSecure checkout flows, payment integrations, subscriptions, and customer data handling\n\nConduct secure code reviews and support threat modeling for new features\n\nAPI & Integration Security: Secure REST/GraphQL APIs (authentication, authorization, rate limiting)\n\nPrevent API abuse, scraping, and data exfiltration\n\nImplement and enforce secure patterns (OAuth2, JWT, token management)\n\nDevSecOps & CI/CD Security: Implement and manage security tooling in CI/CD pipelines (SAST, DAST, SCA, secrets scanning)\n\nSecure build and deployment pipelines\n\nEnforce secure coding standards and automate policy checks\n\nOwn infrastructure-as-code security (Terraform) for app environments\n\nAWS Cloud Security (Critical): Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)\n\nImplement and validate IAM roles and least privilege access\n\nNetwork segmentation (VPCs, security groups, private/public boundaries)\n\nSecrets management (AWS Secrets Manager, Parameter Store)\n\nData protection (encryption at rest/in transit)\n\nPartner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security\n\nRuntime Protection & Detection: Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces\n\nPartner with Infra on CrowdStrike coverage for application workloads\n\nSupport detection and response improvements for Web/app-layer attacks and API abuse\n\nTriage and remediate findings from Pen tests, Purple team exercises, and assumed breach scenarios\n\nSecurity Program Execution: Translate security findings into prioritized engineering work\n\nPartner with external security testing partners on risk prioritization (CTRM) tied to business impact\n\nDrive adoption of security best practices across engineering teams\n\nAct as a bridge between Ecom, Infrastructure, and external security partners\n\nWHAT YOU NEED\nApplication & Ecommerce Security\n\nIdentify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)\n\nAddress OWASP Top 10 and ecommerce-specific risks, including:\n\nInjection (SQL/NoSQL), XSS, CSRF\n\nBroken authentication / session management\n\nBusiness logic flaws (checkout, pricing, promotions, abuse scenarios)\n\nAccount takeover, credential stuffing, bot attacks\n\nSecure checkout flows, payment integrations, subscriptions, and customer data handling\n\nConduct secure code reviews and support threat modeling for new features\n\nAPI & Integration Security\n\nSecure REST/GraphQL APIs (authentication, authorization, rate limiting)\n\nPrevent API abuse, scraping, and data exfiltration\n\nImplement and enforce secure patterns (OAuth2, JWT, token management)\n\nDevSecOps & CI/CD Security\n\nImplement and manage security tooling in CI/CD pipelines\n\nSAST (Java-focused), DAST, SCA (dependencies), secrets scanning\n\nSecure build and deployment pipelines\n\nEnforce secure coding standards and automate policy checks\n\nOwn infrastructure-as-code security (Terraform) for app environments\n\nAWS Cloud Security (Critical)\n\nSecure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)\n\nIAM roles and least privilege access\n\nNetwork segmentation (VPCs, security groups, private/public boundaries)\n\nSecrets management (AWS Secrets Manager, Parameter Store)\n\nData protection (encryption at rest/in transit)\n\nPartner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security\n\nRuntime Protection & Detection\n\nImplement and tune WAF, bot protection, and rate limiting for ecommerce surfaces\n\nPartner with Infra on CrowdStrike coverage for application workloads\n\nSupport detection and response improvements for web/app-layer attacks and API abuse\n\nTriage and remediate findings from Pen tests, Purple team exercises, and assumed breach scenarios\n\nSecurity Program Execution\n\nTranslate security findings into prioritized engineering work\n\nPartner with external security testing partners on risk prioritization (CTRM) tied to business impact\n\nDrive adoption of security best practices across engineering teams\n\nAct as a bridge between Ecom, Infrastructure, and external security partners\n\nWHAT WE OFFER\n\nCompetitive compensation\n\n100% company-paid medical, dental, and vision insurance coverage for employees\n\nCompany-paid short- and long-term disability insurance\n\nCompany- paid life insurance\n\n401k plan with employer matching contributions up to 4%\n\nGym membership reimbursement\n\nMonthly allowance of Thorne supplements\n\nPaid time off, volunteer time off and holiday leave\n\nTraining, professional development, and career growth opportunities\n\n#J-18808-Ljbffr","company":"Thorne","rawCompany":"thorne","city":"Columbia","state":"SC","isRemote":false,"isActive":false,"createdAt":"2026-06-17T03:38:17.479Z","occupations":[{"code":"15-1299.05","title":"Information Security Engineers","slug":"information-security-engineers"},{"code":"15-1299.08","title":"Computer Systems Engineers/Architects","slug":"computer-systems-engineers-architects"},{"code":"15-1252.00","title":"Software Developers","slug":"software-developers"}],"industries":[{"code":"541512","title":"Computer Systems Design Services","slug":"computer-systems-design-services"},{"code":"541511","title":"Custom Computer Programming Services","slug":"custom-computer-programming-services"},{"code":"513210","title":"Software Publishers","slug":"software-publishers"}],"jobPosting":{"@context":"https://schema.org","@type":"JobPosting","title":"Senior DevSecOps / Security Engineer - Application & Cloud (Ecommerce)","description":"Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)\nDepartment: Information Technology\n\nEmployment Type: Full Time\n\nLocation: Remote\n\nCompensation: $150,000 - $180,000 / year\n\nDescription\nAt Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.\n\nThorne is seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle.\n\nRESPONSIBILITIES\n\nApplication & Ecommerce Security: Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)\n\nAddress OWASP Top 10 and ecommerce-specific risks, including:\n\nInjection (SQL/NoSQL), XSS, CSRF\n\nBroken authentication / session management\n\nBusiness logic flaws (checkout, pricing, promotions, abuse scenarios)\n\nAccount takeover, credential stuffing, bot attacks\n\nSecure checkout flows, payment integrations, subscriptions, and customer data handling\n\nConduct secure code reviews and support threat modeling for new features\n\nAPI & Integration Security: Secure REST/GraphQL APIs (authentication, authorization, rate limiting)\n\nPrevent API abuse, scraping, and data exfiltration\n\nImplement and enforce secure patterns (OAuth2, JWT, token management)\n\nDevSecOps & CI/CD Security: Implement and manage security tooling in CI/CD pipelines (SAST, DAST, SCA, secrets scanning)\n\nSecure build and deployment pipelines\n\nEnforce secure coding standards and automate policy checks\n\nOwn infrastructure-as-code security (Terraform) for app environments\n\nAWS Cloud Security (Critical): Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)\n\nImplement and validate IAM roles and least privilege access\n\nNetwork segmentation (VPCs, security groups, private/public boundaries)\n\nSecrets management (AWS Secrets Manager, Parameter Store)\n\nData protection (encryption at rest/in transit)\n\nPartner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security\n\nRuntime Protection & Detection: Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces\n\nPartner with Infra on CrowdStrike coverage for application workloads\n\nSupport detection and response improvements for Web/app-layer attacks and API abuse\n\nTriage and remediate findings from Pen tests, Purple team exercises, and assumed breach scenarios\n\nSecurity Program Execution: Translate security findings into prioritized engineering work\n\nPartner with external security testing partners on risk prioritization (CTRM) tied to business impact\n\nDrive adoption of security best practices across engineering teams\n\nAct as a bridge between Ecom, Infrastructure, and external security partners\n\nWHAT YOU NEED\nApplication & Ecommerce Security\n\nIdentify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)\n\nAddress OWASP Top 10 and ecommerce-specific risks, including:\n\nInjection (SQL/NoSQL), XSS, CSRF\n\nBroken authentication / session management\n\nBusiness logic flaws (checkout, pricing, promotions, abuse scenarios)\n\nAccount takeover, credential stuffing, bot attacks\n\nSecure checkout flows, payment integrations, subscriptions, and customer data handling\n\nConduct secure code reviews and support threat modeling for new features\n\nAPI & Integration Security\n\nSecure REST/GraphQL APIs (authentication, authorization, rate limiting)\n\nPrevent API abuse, scraping, and data exfiltration\n\nImplement and enforce secure patterns (OAuth2, JWT, token management)\n\nDevSecOps & CI/CD Security\n\nImplement and manage security tooling in CI/CD pipelines\n\nSAST (Java-focused), DAST, SCA (dependencies), secrets scanning\n\nSecure build and deployment pipelines\n\nEnforce secure coding standards and automate policy checks\n\nOwn infrastructure-as-code security (Terraform) for app environments\n\nAWS Cloud Security (Critical)\n\nSecure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)\n\nIAM roles and least privilege access\n\nNetwork segmentation (VPCs, security groups, private/public boundaries)\n\nSecrets management (AWS Secrets Manager, Parameter Store)\n\nData protection (encryption at rest/in transit)\n\nPartner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security\n\nRuntime Protection & Detection\n\nImplement and tune WAF, bot protection, and rate limiting for ecommerce surfaces\n\nPartner with Infra on CrowdStrike coverage for application workloads\n\nSupport detection and response improvements for web/app-layer attacks and API abuse\n\nTriage and remediate findings from Pen tests, Purple team exercises, and assumed breach scenarios\n\nSecurity Program Execution\n\nTranslate security findings into prioritized engineering work\n\nPartner with external security testing partners on risk prioritization (CTRM) tied to business impact\n\nDrive adoption of security best practices across engineering teams\n\nAct as a bridge between Ecom, Infrastructure, and external security partners\n\nWHAT WE OFFER\n\nCompetitive compensation\n\n100% company-paid medical, dental, and vision insurance coverage for employees\n\nCompany-paid short- and long-term disability insurance\n\nCompany- paid life insurance\n\n401k plan with employer matching contributions up to 4%\n\nGym membership reimbursement\n\nMonthly allowance of Thorne supplements\n\nPaid time off, volunteer time off and holiday leave\n\nTraining, professional development, and career growth opportunities\n\n#J-18808-Ljbffr","datePosted":"2026-06-17T03:38:17.479Z","dateModified":"2026-06-17T03:38:17.479Z","hiringOrganization":{"@type":"Organization","name":"Thorne","sameAs":"https://jobsearcher.com"},"jobLocation":{"@type":"Place","address":{"@type":"PostalAddress","addressLocality":"Columbia","addressRegion":"SC","addressCountry":"US"}},"identifier":{"@type":"PropertyValue","name":"JobSearcher","value":"2ab996165494f15babaaefe1"},"url":"https://jobsearcher.com/jobs/2ab996165494f15babaaefe1"}}