security engineer

EPAM provides digital platform engineering and software development services, helping organizations build and scale their digital capabilities through advanced technology solutions.

• Embed security into the full software development lifecycle and drive shift-left and secure-by-design practices across engineering teams;
• Perform and facilitate threat modeling, architecture security reviews, and design reviews for applications, services, and APIs;
• Conduct secure code reviews (manual and AI-assisted) and advise developers on secure coding patterns and remediation;
• Implement, configure, tune, and operate application security tooling, including SAST, DAST, IAST, SCA, secrets scanning, and IaC scanning, integrated into CI/CD pipelines;
• Triage, validate, prioritize, and reduce false positives in security findings, and partner with development teams to track issues through to remediation;
• Define, implement, and maintain security gates and policies in CI/CD pipelines that balance risk reduction with developer velocity;
• Secure the software supply chain, including dependency and open-source risk management, SBOM generation, artifact integrity and signing, and build pipeline hardening;
• Support and coordinate application penetration testing and validate fixes for identified vulnerabilities;
• Drive secrets management, secure configuration, API security, container and image security, and microservice security practices;
• Establish and run a security champions program, and develop and deliver secure-coding training, guidelines, and reusable security patterns for developers;
• Define and maintain application security standards, baselines, and policy-as-code, and contribute to vulnerability management and risk-acceptance processes;
• Build, deploy, and maintain AI-assisted automations and agentic workflows that reduce manual effort across daily application security activities;
• Build and integrate AI agents and LLM-backed automations into the SDLC and CI/CD pipelines;
• Develop, test, and maintain reusable prompts, structured-prompting patterns, and prompt templates for recurring AppSec tasks;
• Implement retrieval over codebases, security standards, and remediation guidance so AI assistants answer from current, authoritative internal context;
• Build evaluation, validation, and human-in-the-loop checkpoints into AI-assisted AppSec workflows;
• Implement security and privacy controls for AppSec AI usage, including least-privilege access for agents, source-code and secrets handling, prompt-injection resistance, and auditability;
• Design, implement, and operate security controls for AI- and LLM-powered application features, aligned to the OWASP Top 10 for LLM Applications;
• Define and enforce guardrails for secure adoption of AI in product engineering and advise development teams on building AI features securely.

• Bachelor's degree in Computer Science, Information Security, Engineering, or equivalent practical experience;
• Hands-on application security experience across the software development lifecycle;
• Strong understanding of common application vulnerability classes and mitigations, including the OWASP Top 10, and of secure coding principles;
• Practical experience with application security tooling, such as SAST, DAST, SCA, and secrets scanning, and integrating it into CI/CD;
• Working knowledge of at least one programming language (e.g., Python, Java, C#, JavaScript/TypeScript, or Go) sufficient to read code and assess vulnerabilities;
• Experience with threat modeling and secure design review methodologies;
• Understanding of DevOps/DevSecOps practices, CI/CD pipelines, and secure-by-design principles;
• Familiarity with cloud application security concepts across at least one major cloud platform such as Azure, AWS, or GCP;
• Experience participating in at least several production projects or engineering teams;
• Ability to work closely with developers, architects, QA engineers, DevOps, product, and security teams, and to influence without owning the codebase;
• Ability to follow, maintain, and improve defined security processes;
• Practical understanding of AI-assisted productivity and automation beyond basic chatbot usage;
• Good communication skills and the ability to explain security risks, technical decisions, and remediation plans to both technical and non-technical stakeholders;
• Nice to have: Experience with application security platforms and tools (Snyk, Checkmarx, Veracode, SonarQube, Semgrep, GitHub Advanced Security, Burp Suite, OWASP ZAP), software supply chain security (SBOM, SLSA, Sigstore), Infrastructure as Code and policy-as-code security tools (Terraform, Bicep, ARM templates, OPA, Checkov, Trivy), container and Kubernetes security, API security, secrets management (HashiCorp Vault, Azure Key Vault), microservice security patterns, compliance or security frameworks (ISO 27001, NIST, CIS Benchmarks, PCI DSS, HIPAA, SOC 2, SOX), integrating security findings with SIEM/SOAR, AI/LLM platforms or frameworks (Azure OpenAI, Azure AI Foundry, Amazon Bedrock, Microsoft Copilot Studio, LangChain, AutoGen), understanding of AI and LLM application security risks, security certifications (CSSLP, GWAPT, GWEB, OSCP, OSWE, CISSP, CISM, CCSP, AI-related certifications).

• No conditions specified