Application Security Engineer 3

Black Duck Software, Inc. helps organizations build secure, high-quality software, minimizing risks while maximizing speed and productivity. Black Duck, a recognized pioneer in application security, provides SAST, SCA, and DAST solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Black Duck helps organizations maximize security and quality in DevSecOps and throughout the software development life cycle.

Application Security Engineer III

We’re seeking a Senior Application Security Consultant with deep expertise in software security, secure development practices, governance, and framework-driven transformation planning. In this role, you will lead client engagements to assess Application Security Programs (AppSec) against industry frameworks and deliver strategic roadmaps that help organizations build, scale, and measure their secure software development capabilities. This position blends strategic consulting, technical governance, and development lifecycle expertise to translate assessment findings into actionable, measurable programs aligned with frameworks such as BSIMM and NIST SSDF.

Key Responsibilities

• Lead AppSec Program maturity assessments using frameworks like BSIMM, NIST SSDF, and OWASP SAMM, including stakeholder interviews, evidence collection, and scoring.


• Design and deliver Strategic Roadmaps outlining target states, 12–36-month plans, resource needs, and success metrics.


• Facilitate workshops with executive, engineering, and AppSec leadership to align initiatives with organizational risk and compliance goals.


• Deliver compelling, executive-level presentations and recommendations to CISOs, CTOs, and software leadership teams.


• Contribute to internal tools and accelerators (e.g., maturity scoring tools, roadmap templates, reporting dashboards).


• Support thought leadership through whitepapers, webinars, and conference presentations on secure software development and governance.

Qualifications

Must to have:

• 5 – 8 years of experience in application security, software assurance, or product security consulting.


• Strong knowledge of frameworks such as BSIMM, NIST SSDF, or OWASP SAMM.


• Experience with Open-Source Software (OSS) security, including identification, tracking, and remediation of vulnerabilities in third-party components.


• Familiarity with Software Bill of Materials (SBOM) standards and tools (e.g., SPDX, CycloneDX), and their role in software supply chain transparency and compliance


• Proven experience in developing or executing maturity models, capability assessments, or multi-year roadmaps for AppSec or DevSecOps programs.


• Hands-on experience with secure software development practices, including familiarity with SDLC, CI/CD pipelines, and code-level security controls.


• Excellent verbal and written communication skills, with the ability to translate technical findings into clear, executive-level narratives and actionable plans.


• Strong presentation and facilitation skills in client-facing environments.

Nice to have:

• Prior consulting experience with a Big Four, boutique AppSec consultancy, or internal software security governance team.


• Experience in software supply chain risk management (SSCRM), AI/ML assurance, or DevSecOps pipeline design.


• Background in software development (e.g., Java, Python, C#) and experience working within secure SDLCs.


• Industry certifications such as CEH, CISSP, CISM, or equivalent.

What You’ll Deliver

• Comprehensive AppSec Program Roadmaps, maturity assessments, and framework-aligned reports.


• Visuals and documentation for capability maturity models and strategic planning.


• Executive summaries and strategic recommendations tailored to leadership audiences.

Black Duck considers all applicants for employment without regard to race, color, religion, sex, gender preference, national origin, age, disability, or status as a Covered Veteran in accordance with federal law. In addition, Black Duck complies with applicable state and local laws prohibiting discrimination in employment in every jurisdiction in which it maintains facilities. Black Duck also provides reasonable accommodation to individuals with a disability in accordance with applicable laws.