• Health/Rx
• Dental
• Vision
• Flexible and health spending accounts (FSA/HSA)
• Supplemental life insurance
• 401(k)
• Paid time off
• Paid sick time
• Short term & long term disability coverage (STD/LTD)
• Employee stock ownership (ESOP)
• Holiday pay for company designated holidays

At KeHE, we’re obsessed with creating solutions, unboxing potential, and serving others – and it all starts with you. As an employee-owned distributor of natural and organic, specialty, and fresh products, we’re committed to making a positive impact and scaling our success together. With a culture that fosters development and opportunity, you’ll be embarking on a career that’s moving forward. When you join KeHE, you’re becoming part of a team that is a force for good

The Application Security Engineer (AppSec) reduces application and software risk by embedding security into the secure software development lifecycle (SSDLC). This role partners closely with engineering, infrastructure, and product teams to design secure architectures, perform threat modeling, implement security testing and CI/CD controls, and drive remediation of vulnerabilities. As the organization's AI adoption expands across business and engineering teams, the incumbent will help evaluate and shape security practices for emerging AI and agentic tools, including GenAI assessments and guardrail development as these programs mature. The role develops practical security standards, builds and operates a vulnerability operations function, improves developer enablement through reusable patterns and automation, and supports investigations related to application vulnerabilities, insecure configurations, or software supply chain risk. As with all positions at KeHE Distributors, all actions and responsibilities are expected to align with KeHE’s Mission, Vision, and Values.

DUTIES, TASKS AND RESPONSIBILITIES:

• Secure SDLC Integration: Partner with software engineering teams to embed security activities (design, build, test, deploy, operate) into the SDLC, including performing threat modeling and security design reviews.
• Standards & Patterns: Define, maintain, and promote "secure-by-default" coding standards, reusable security control patterns, and templates to scale consistent security practices.
• AppSec Tooling & Automation: Implement, operate, and continuously tune application security testing tools (SAST, DAST, SCA, secrets, containers, IaC) within CI/CD pipelines to ensure high-signal, actionable feedback.
• Risk-Based Vulnerability Management: Triage, validate, and prioritize application security findings based on business impact and exposure; track remediation SLAs, verify fixes, and document risk acceptances or compensating controls.
• Modern Architecture & Platform Security: Provide security guidance on modern architectures (APIs, microservices, cloud, serverless), focusing on identity/access management (RBAC, least privilege, token handling), rate limiting, and secure configurations.
• Supply Chain & Secrets Reduction: Mitigate software supply chain risks through strict dependency governance and secure artifact management, while driving improvements in secrets management to eliminate hard-coded credentials.
• Incident Response Support: Assist Security Operations and engineering teams with investigating AppSec incidents (e.g., exposed secrets, exploits), and lead post-incident reviews to implement preventative guardrails.
• Governance, Risk, & Compliance: Provide control evidence to support compliance audits and evaluate the security posture of third-party/vendor-integrated applications.
• Developer Enablement & Culture: Foster a strong security culture by delivering security training, hosting office hours, publishing developer-friendly documentation, and demonstrating company core values.
• AI & Agentic Tool Security: Oversee security for GenAI, RAG, and agentic tools by conducting OWASP LLM/Agentic Top 10 assessments, enforcing per-tool security checklists (blast-radius and data boundaries), and owning the security sign-off for POC-to-production decisions
• Other duties and projects as assigned.

SKILLS, KNOWLEDGE AND ABILITIES:

• Strong understanding of application security fundamentals and common vulnerability classes (e.g., OWASP Top 10) and secure coding practices.
• Experience conducting threat modeling and security design reviews; ability to identify abuse cases, trust boundaries, and mitigations.
• Hands-on experience with application security testing methodologies and tools (SAST/DAST/SCA, secrets scanning); ability to interpret results and drive remediation.
• Experience integrating security checks into CI/CD pipelines and developer workflows; familiarity with Git-based workflows and modern build/release practices.
• Ability to prioritize findings using risk context (asset criticality, exposure, exploitability, data sensitivity).
• Strong written and verbal communication skills; ability to translate security requirements into practical engineering actions.
• Experience securing cloud-native applications (AWS preferred; Azure exposure a plus) and modern architectures (APIs, containers, microservices, serverless).
• Familiarity with container and IaC security concepts (image scanning, Kubernetes security concepts, Terraform/CloudFormation scanning).
• Scripting/automation skills (Python, PowerShell, or similar) to improve scale and reduce manual work.
• Familiarity with secrets management tooling and practices (vaults, key management, rotation workflows).
• Familiarity with secure SDLC governance and control mapping to common frameworks (NIST CSF, CIS Controls, NIST 800-53).

EDUCATION AND EXPERIENCE:

• Bachelor’s degree in Computer Science, Software Engineering, Information Security, or related field; or equivalent practical experience.
• 3–8+ years of experience in application security, secure software engineering, DevSecOps, or software development with significant security responsibilities.

PHYSICAL REQUIREMENTS:

• This position operates in a hybrid working environment, with in-person presence preferred Tuesday, Wednesday, and Thursday (remote work available Monday and Friday, as business needs allow).
• Ability to work in a standard office environment which requires sitting and viewing monitor(s) for extended periods of time, operating