Senior DevSecOps / Security Engineer - Application & Cloud (Ecommerce)
ARCHIVED
We can't find an active application page for this role right now. It may reopen or be listed elsewhere. Use Next Steps to search for an active apply link and similar live jobs.
Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)
Department: Information Technology
Employment Type: Full Time
Location: Remote
Compensation: $150,000 - $180,000 / year
Description
At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage.
Thorne is seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle.
RESPONSIBILITIES
Application & Ecommerce Security: Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)
Address OWASP Top 10 and ecommerce-specific risks, including:
Injection (SQL/NoSQL), XSS, CSRF
Broken authentication / session management
Business logic flaws (checkout, pricing, promotions, abuse scenarios)
Account takeover, credential stuffing, bot attacks
Secure checkout flows, payment integrations, subscriptions, and customer data handling
Conduct secure code reviews and support threat modeling for new features
API & Integration Security: Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
Prevent API abuse, scraping, and data exfiltration
Implement and enforce secure patterns (OAuth2, JWT, token management)
DevSecOps & CI/CD Security: Implement and manage security tooling in CI/CD pipelines (SAST, DAST, SCA, secrets scanning)
Secure build and deployment pipelines
Enforce secure coding standards and automate policy checks
Own infrastructure-as-code security (Terraform) for app environments
AWS Cloud Security (Critical): Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
Implement and validate IAM roles and least privilege access
Network segmentation (VPCs, security groups, private/public boundaries)
Secrets management (AWS Secrets Manager, Parameter Store)
Data protection (encryption at rest/in transit)
Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Runtime Protection & Detection: Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
Partner with Infra on CrowdStrike coverage for application workloads
Support detection and response improvements for Web/app-layer attacks and API abuse
Triage and remediate findings from Pen tests, Purple team exercises, and assumed breach scenarios
Security Program Execution: Translate security findings into prioritized engineering work
Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
Drive adoption of security best practices across engineering teams
Act as a bridge between Ecom, Infrastructure, and external security partners
WHAT YOU NEED
Application & Ecommerce Security
Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)
Address OWASP Top 10 and ecommerce-specific risks, including:
Injection (SQL/NoSQL), XSS, CSRF
Broken authentication / session management
Business logic flaws (checkout, pricing, promotions, abuse scenarios)
Account takeover, credential stuffing, bot attacks
Secure checkout flows, payment integrations, subscriptions, and customer data handling
Conduct secure code reviews and support threat modeling for new features
API & Integration Security
Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
Prevent API abuse, scraping, and data exfiltration
Implement and enforce secure patterns (OAuth2, JWT, token management)
DevSecOps & CI/CD Security
Implement and manage security tooling in CI/CD pipelines
SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
Secure build and deployment pipelines
Enforce secure coding standards and automate policy checks
Own infrastructure-as-code security (Terraform) for app environments
AWS Cloud Security (Critical)
Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
IAM roles and least privilege access
Network segmentation (VPCs, security groups, private/public boundaries)
Secrets management (AWS Secrets Manager, Parameter Store)
Data protection (encryption at rest/in transit)
Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security
Runtime Protection & Detection
Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
Partner with Infra on CrowdStrike coverage for application workloads
Support detection and response improvements for web/app-layer attacks and API abuse
Triage and remediate findings from Pen tests, Purple team exercises, and assumed breach scenarios
Security Program Execution
Translate security findings into prioritized engineering work
Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
Drive adoption of security best practices across engineering teams
Act as a bridge between Ecom, Infrastructure, and external security partners
WHAT WE OFFER
Competitive compensation
100% company-paid medical, dental, and vision insurance coverage for employees
Company-paid short- and long-term disability insurance
Company- paid life insurance
401k plan with employer matching contributions up to 4%
Gym membership reimbursement
Monthly allowance of Thorne supplements
Paid time off, volunteer time off and holiday leave
Training, professional development, and career growth opportunities
#J-18808-Ljbffr