Senior Manager, Application Security

JOB SUMMARYThe Senior Manager, Application Security is responsible for defining, leading, and operationalizing the firm’s application security program across internally developed applications, SaaS platforms, APIs, databases, generative AI platforms, and emerging application architectures. This role partners closely with application engineering, cloud, and platform teams to embed security into the software development lifecycle while enabling teams to deliver securely at scale.

The ideal candidate is a highly skilled, hands-on technical leader who can translate security requirements into practical developer workflows while enabling rapid and reliable software delivery.

JOB DUTIES & RESPONSIBILITIES

• Develop, execute, and continuously mature the enterprise application security strategy in alignment with industry best practices, regulatory requirements, and client contractual obligations.

• Define and maintain secure application development standards for internally developed software, third-party applications, APIs, SaaS platforms and containerized workloads.

• Establish minimum security requirements for application authentication, authorization, encryption, secrets handling, and data protection.

• Define, maintain, and enforce secure SDLC and DevSecOps standards across all development teams.

• Integrate application security controls into CI/CD pipelines, developer platforms, and engineering workflows with a focus on automation and scalability.

• Partner with Application Engineering and DevOps teams to embed automated security testing and preventive controls while maintaining security ownership of policy and enforcement.

• Evaluate, select, implement, and manage the full lifecycle of application security tooling including:

  • SAST, DAST, SCA, and API security testing platforms

  • Container image scanning and registry security tooling

  • Kubernetes security and runtime protection solutions

  • Software supply chain security tooling

• Design and implement integrations between application security tooling and developer workflows to minimize friction and maximize adoption.

• Design and build automation to support application security processes including:

  • Orchestrated automated security testing.

  • Vulnerability triage and prioritization workflows

  • Developer feedback loops and ticketing system integrations

  • Exception handling, risk acceptance, and policy waiver workflows

  • Security metrics and pipeline telemetry

• Identify and assess application security risks including vulnerable dependencies, insecure authentication patterns, data exposure risks, and insecure configuration.

• Perform and support threat modeling, architecture reviews, and secure design assessments for high-risk, or business critical applications.

• Support the security review, onboarding, and ongoing risk management of third-party and SaaS applications.

• Develop and maintain metrics, dashboards, and reporting to measure application security posture, testing coverage, and vulnerability remediation effectiveness.

• Provide application security subject matter expertise during security incidents, investigations, and post-incident remediation efforts.

• Lead, mentor, and develop a team of application security engineers, fostering strong technical depth and career growth.

• Partner with engineering leadership to drive secure-by-design development practices and shared accountability for risk reduction.

• Communicate application security risks, tradeoffs, and recommendations clearly to both technical and executive stakeholders.

• Promote a developer-friendly security culture focused on automation, guardrails, measurable risk reduction, and engineering velocity.

• Stay current on emerging application threats, attack techniques, and defensive technologies, and apply this knowledge to continuously improve program effectiveness.

EDUCATION Required

• Bachelor’s degree in information security, IT, risk management, related discipline, or equivalent experience

Preferred

• Professional certifications such as CISSP, CISM, or similar

SKILLS AND EXPERIENCE

• 10+ years of progressive experience in application security, product security, or software security engineering roles

• Hands-on experience securing modern application ecosystems, including web applications, APIs, microservices, cloud-native workloads, container, and Kubernetes platforms

• Demonstrated success building, scaling, and operating enterprise-grade Application Security programs within large, complex organizations, preferably in hybrid environments (on-premises, multi-cloud, Kubernetes, and SaaS).

• Experience partnering with application, DevOps, and platform engineering teams to design and implement security controls that scale without impeding developer velocity.

• Hands‑on experience implementing and operationalizing enterprise application security tooling and integrating controls into CI/CD pipelines and developer workflows.

• Technical Skills & Knowledge:

  • Secure SDLC principles and DevSecOps integration patterns

  • Application security testing methodologies and tooling (SAST, DAST, SCA, API testing)

  • Container security concepts, including image hardening, vulnerability scanning, secure registries, and container lifecycle management.

  • Cloud-native application security concepts

  • Software supply chain security principles

  • Security automation and scripting (Python, PowerShell, or similar)

  • CI/CD security integration patterns

• Demonstrated ability to lead, mentor, and develop high‑performing application security or product security engineering teams.

• Strong program and project management capabilities, with a track record of delivering complex, cross‑functional initiatives on time and within budget.

• Experience operating within global organizations and collaborating effectively across diverse geographies, cultures, and business units.

• Proven ability to manage third‑party vendors and security technology providers, including evaluation, onboarding, delivery oversight, and performance management.

• Strong interpersonal and collaboration skills, with comfort engaging regularly with senior leadership and key internal and external stakeholders.

• Excellent executive communication and presentation skills, with the ability to clearly articulate risk, strategy, and technical concepts to both technical and non-technical audiences.

• Strong ability to manage multiple concurrent priorities, exercise sound judgment, and effectively allocate time and resources in a fast‑paced environment.

• Proven ability to execute effectively amid ambiguity and incomplete information, applying risk‑based decision‑making.

• Demonstrated continuous learning mindset, staying current on emerging technologies, security threats, vulnerabilities, and attack vectors.

• Passion for innovation, automation, and driving continuous improvement in application security processes.

POSTING DISCLOSURE:

Simpson Thacher will not sponsor applicants for work visas for this position.

Salary Information

Simpson Thacher will not sponsor applicants for work visas for this position.

Privacy Notice

For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, gender identity or expression, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, veteran’s status or any other legally protected status. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.