Product & Data Security Engineer (AppSec, DLP, & Privacy)

Job role: Product & Data Security Engineer (AppSec, DLP, & Privacy)

Duration: Contract-to-Hire (6 12 Months)

Location: Fully Remote

Job Description

You embed Secure-by-Design and Private-by-Design principles directly into the SDLC by building self-service, developer-native guardrails. You do not review code manually; you design systems that make insecure or non-compliant code impossible to merge.

Responsibilities

Secure SDLC

Design and maintain SAST, SCA, API, and schema validation patterns using GitHub Actions with deterministic policy-as-code gates (no discretionary approvals).

Data Loss Prevention (DLP)

Implement source-level PHI/PII and secret detection using regex + ML classifiers in CI/CD to block sensitive data from ever entering source control or artifacts.

API & Transport Security

Define non-negotiable Layer 7 standards (TLS 1.3, HSTS, OAuth/OIDC, JWT lifetimes) and automate OpenAPI linting to prevent over-exposure or data leakage.

Data Protection Patterns

Build and maintain application-layer encryption, tokenization, and redaction libraries that are consumed by product teams by default.

Supply Chain Security

Generate SBOMs per build, sign and attest artifacts, and enforce provenance verification at deploy time via pipeline policy.

Minimum Qualifications

5+ years in AppSec or Software Engineering with data-centric security ownership.

Hands-on with GitHub Actions, secret prevention tooling, API security, and OAuth/OIDC.

Proficient in Python, Go, or TypeScript with strong developer empathy.

Success Measures

90% of repos protected by automated DLP and secret scanning

100% APIs conforming to standardized auth and transport patterns

Measurable reduction in high/critical application-layer findings