Lead Application Security Engineer
Cast & Crew
About Us
At Cast & Crew, we’ve empowered creativity and supported the global entertainment industry for decades. Together with our family of brands - Backstage, CAPS, Checks & Balances, Final Draft, Media Services, Sargent-Disc, and The TEAM Companies – we operate as a combined entertainment technology and services provider offering industry standard screenwriting accounting software, digital payroll products, data & reporting, and a host of creative tools. The industry continues to move faster than ever, and the need for our expertise, our technology, and our people has never been greater. We are a production’s best ally every step of the way. #OneCastOneCrew
The OpportunityWe're looking for an exceptional security engineer who can bridge the gap between application security expertise and DevOps automation. As our Lead Application Security & DevSecOps Engineer, you'll be the driving force behind building a security-first culture while implementing the tools and automation that make security seamless for our engineering teams.
This is a high-impact role where you'll shape security architecture, build automated security pipelines, and work directly with engineering teams to deliver secure products at scale. You'll have the autonomy to define our security roadmap and the technical chops to execute it.
Your Responsibilities
Lead Security Strategy & Architecture
Own the application security vision and roadmap for the engineering organization
Design secure architecture for new products, services, and critical features
Conduct threat modeling sessions for high-risk systems and data flows
Define security standards, policies, and best practices for development teams
Serve as the security subject matter expert for engineering leadership
Drive security initiatives from concept through implementation
Lead post-incident security reviews and implement preventive measures
Hands-On Application Security
Perform in-depth security code reviews of critical and high-risk code changes
Identify, assess, and prioritize vulnerabilities across our application portfolio
Partner with development teams to remediate security findings effectively
Research and evaluate emerging threats, attack vectors, and security vulnerabilities
Provide security consultation and architectural guidance to product teams
Conduct security assessments of third-party integrations and dependencies
Stay ahead of industry trends and evolving attack techniques
Build DevSecOps Infrastructure & Automation
Design and implement security automation throughout the CI/CD pipeline
Integrate, configure, and manage security scanning tools (SAST, DAST, SCA, secrets detection)
Build custom security tools and frameworks to scale security across teams
Automate security testing, vulnerability management, and compliance checking
Implement and manage secrets management solutions (Vault, cloud secret managers)
Secure containerized applications and Kubernetes deployments
Scan and enforce security policies for Infrastructure as Code (Terraform, CloudFormation)
Create security dashboards, metrics, and executive reporting
Continuously optimize security tooling for accuracy and developer experience
Enable & Empower Engineering Teams
Mentor developers on secure coding practices and security principles
Build and lead a security champions program across engineering
Create security training materials and conduct workshops
Provide actionable security feedback that doesn't block velocity
Collaborate with DevOps and Platform teams on security improvements
Make security tooling intuitive and integrated into developer workflows
What You Bring
Must-Have Experience
6+ years in application security with a strong track record of impact
Expert-level knowledge of web application security vulnerabilities (OWASP Top 10, injection attacks, authentication flaws, authorization issues, cryptographic failures, etc.)
Strong programming skills in 2+ languages such as Python, Java, JavaScript, C#
Proven experience securing CI/CD pipelines and building security automation
Hands-on expertise with security tools: SAST (SonarQube, Semgrep, Checkmarx), DAST (Burp Suite, OWASP ZAP), SCA (Snyk, Dependabot)
Deep understanding of authentication/authorization mechanisms (OAuth 2.0, OpenID Connect, SAML, JWT, API keys, TLS)
Production experience with cloud platforms (AWS, Azure, or GCP) and cloud-native security
Container security knowledge including Docker and Kubernetes security best practices
Excellent communication skills - able to explain security risks to engineers, product managers, and executives
Leadership experience mentoring engineers or leading security initiatives
Great-to-Have Experience
Security certifications: OSCP, GWAPT, CSSLP, CEH, or CISSP
Cloud certifications: AWS Certified Security Specialty, Azure Security Engineer, GCP Professional Cloud Security Engineer
Experience with Infrastructure as Code security (Terraform, CloudFormation, Pulumi, Ansible)
Background in DevOps, SRE, or Platform Engineering
Knowledge of compliance frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR)
Contributions to open-source security tools or projects
Experience with API security, microservices, and service mesh architectures
Penetration testing or red team experience
Understanding of cryptography, PKI, and secure communication protocols
Technical Toolkit
Languages & Frameworks
Proficient in Python, Bash, or PowerShell for automation and tooling
Understanding of web frameworks (React, Spring Boot, .net core)
Experience with API development and security (REST, GraphQL, gRPC)
Security Tooling
Static Analysis (SAST): SonarQube, Synk, Checkmarx, Fortify
Dynamic Analysis (DAST): Burp Suite Pro, OWASP ZAP, Acunetix
Software Composition Analysis (SCA): Snyk, Dependabot, WhiteSource
Container Security: Trivy, Aqua Security, Anchore, Prisma Cloud
IaC Security: Checkov, tfsec, Terrascan, Bridgecrew, Snyk IaC
Secrets Detection: GitGuardian, TruffleHog, detect-secrets
DevOps & Cloud
CI/CD: Jenkins, GitLab CI/CD, GitHub Actions, CircleCI, Azure DevOps
Containers & Orchestration: Docker, Kubernetes, ECS, AKS, GKE
Cloud Platforms: AWS (IAM, GuardDuty, Security Hub), Azure (Defender, Entra ID), GCP (Security Command Center)
IaC: Terraform, CloudFormation, Pulumi, CDK
Secrets Management: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
Monitoring: Prometheus, Grafana, ELK Stack, Datadog, Splunk
Security Practices
Threat modeling (STRIDE, PASTA, Attack Trees)
Secure SDLC integration
Security code review and auditing
Vulnerability assessment and penetration testing
Security incident response
Risk assessment and management
Collaborative, learning-focused culture
Modern tech stack and cloud-native architecture
Engineers who care about security and want to learn
Special Work Conditions
Sedentary – Involves sitting most of the time but may involve walking or standing for brief periods of time. Some positions may entail exerting up to 15 lbs. of force occasionally and/or a negligible amount of force to lift, carry, push, or pull.
Benefits
Cast & Crew provides a comprehensive package of employee benefits including: Medical, Dental, Vision, PTO, health and wellness programs, employee discounts, and more! Note: Cast & Crew benefits are subject to eligibility requirements.
Cast & Crew is an equal opportunity employer committed to hiring a diverse workforce and sustaining an inclusive culture. It is our policy to provide equal employment opportunities to all individuals based on job-related qualifications and ability to perform a job, without regard to age, gender, gender identity, sexual orientation, race, color, religion, creed, national origin, disability, genetic information, veteran status, citizenship or marital status, and to maintain a non-discriminatory environment free from intimidation, harassment or bias based upon these grounds.
CA residents
Your personal information may be collected in connection with certain services provided by Cast & Crew or its affiliated companies. A summary of your California privacy rights can be found at: https://www.castandcrew.com/privacy-policy/