Application Security Engineer 3

Black Duck Software, Inc. helps organizations build secure, high-quality software, minimizing risks while maximizing speed and productivity. Black Duck, a recognized pioneer in application security, provides SAST, SCA, and DAST solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Black Duck helps organizations maximize security and quality in DevSecOps and throughout the software development life cycle.

Application Security Engineer III

We’re seeking a Senior Application Security Consultant with deep expertise in software security, secure development practices, governance, and framework-driven transformation planning. In this role, you will lead client engagements to assess Application Security Programs (AppSec) against industry frameworks and deliver strategic roadmaps that help organizations build, scale, and measure their secure software development capabilities. This position blends strategic consulting, technical governance, and development lifecycle expertise to translate assessment findings into actionable, measurable programs aligned with frameworks such as BSIMM and NIST SSDF .

Key Responsibilities

• Lead AppSec Program maturity assessments using frameworks like BSIMM, NIST SSDF, and OWASP SAMM, including stakeholder interviews, evidence collection, and scoring.
• Design and deliver Strategic Roadmaps outlining target states, 12–36-month plans, resource needs, and success metrics.
• Facilitate workshops with executive, engineering, and AppSec leadership to align initiatives with organizational risk and compliance goals.
• Deliver compelling, executive-level presentations and recommendations to CISOs, CTOs, and software leadership teams.
• Contribute to internal tools and accelerators (e.g., maturity scoring tools, roadmap templates, reporting dashboards).
• Support thought leadership through whitepapers, webinars, and conference presentations on secure software development and governance.

Qualifications

Must to have:

• 5 – 8 years of experience in application security, software assurance, or product security consulting .
• Strong knowledge of frameworks such as BSIMM, NIST SSDF, or OWASP SAMM .
• Experience with Open-Source Software (OSS) security , including identification, tracking, and remediation of vulnerabilities in third-party components.
• Familiarity with Software Bill of Materials (SBOM) standards and tools (e.g., SPDX, CycloneDX), and their role in software supply chain transparency and compliance
• Proven experience in developing or executing maturity models, capability assessments, or multi-year roadmaps for AppSec or DevSecOps programs.
• Hands-on experience with secure software development practices, including familiarity with SDLC, CI/C