Carters, Inc

Lead Application Security Engineer

Carters, Inc$120K — $150K *
Information Technology
5 - 7 years of experience
Job Overview by Ladders

Qualifications

  • 5+ years of experience in application security or secure code review
  • Proficiency in programming languages such as Python, Java, or JavaScript
  • Experience with SAST/DAST tools like Snyk and Burp Suite
  • Strong communication skills for engaging with various stakeholders
  • Ability to collaborate across cross-functional teams

Responsibilities

  • Define and manage the enterprise application security architecture and standards
  • Conduct secure code reviews and automated assessments
  • Design and implement security protocols within CI/CD pipelines
  • Build and govern AI security tools and strategies
  • Lead cross-functional collaboration on compliance and risk governance

Benefits

  • Open to flexible work arrangements as needed
  • Opportunity for travel between company offices
  • Access to professional development and training opportunities
  • Engagement with cutting-edge AI security technology
Full Job Description
How you’ll make an impact:

The Lead Security Engineer – Application Security is a senior technical leader within the IT Security team, reporting to the Sr. Director, IT Security. This role serves as the primary architect and subject matter expert for application security across the enterprise, owning the AppSec program strategy, standards, and tooling roadmap. Working autonomously and with broad organizational influence, the Lead exercises expert-level judgment to define how security is built into software from the ground up. A critical distinction of this role is hands-on experience with artificial intelligence: the Lead is expected to build, secure, and govern AI-powered capabilities as they become embedded in Carter’s applications and infrastructure. The Lead acts as a force multiplier – elevating the security posture of every engineering team they engage with and translating complex risk into clear, actionable direction for both technical and business stakeholders. 

Key Responsibilities

Depending on the needs of the department, the duties of this role could include: 

  • Application security, architecture & standards (25%)
    • Defining and owning the enterprise application security architecture, standards, and secure-by-default patterns
    • Establishing and maintaining AppSec tooling strategy, evaluating vendors, and driving adoption across engineering teams
    • Leading threat modeling sessions for critical applications and new product features
    • Serving as the final technical authority on AppSec decisions, including security design reviews and architecture signoffs
  • Secure code review, API security & advanced testing (25%)
    • Conducting and directing advanced secure code reviews, SAST/DAST assessments, and manual penetration testing across web, mobile, and API surfaces
    • Owning API security standards including REST and GraphQL, enforcing OWASP API Top 10 controls and authentication/authorization design patterns
    • Driving vulnerability triage, risk prioritization, and remediation accountability across development teams at scale
  • DevSecOps engineering & platform ownership (20%)
    • Owning the DevSecOps toolchain: designing, deploying, and maturing security gates within CI/CD pipelines enterprise-wide
    • Acting as the primary security partner to engineering leadership, embedding security into system design, SDLC processes, and platform decisions
    • Driving continuous improvement of AppSec metrics, dashboards, and KPIs to demonstrate program maturity and risk reduction
  • AI security – build, secure & govern (20%)
    • Hands-on building and deploying AI-powered security tooling and automation (e.g., AI-assisted code review, threat detection, or vulnerability triage)
    • Securing AI/ML integrations and connectors: assessing prompt injection, data leakage, model supply chain, and third-party AI service risks
    • Developing and enforcing AI governance policies: defining acceptable use, security review gates, and risk acceptance criteria for AI adoption
  • Risk governance, compliance & cross-functional leadership (10%)
    • Representing the IT Security team in architecture reviews, cross-functional planning, and executive risk reporting
    • Owning security policy and standards documentation relevant to application security, AI use, and API governance
    • Leading AppSec representation in PCI-DSS, NIST, and OWASP compliance audits and evidence collection

Travel Requirements

Open-to-travel between various Carter's offices as needed


We’d Love to hear from you if: (Requirements section)

Must have:

  • 5+ years of application security, software engineering, or secure code review experience
  • Strong proficiency in one or more languages (e.g., Python, Java, JavaScript, Go) with ability to perform in-depth code review and threat modeling.
  • Experience with SAST/DAST tooling (e.g., Snyk, SonarQube, Semgrep, Checkmarx, Burp Suite, OWASP ZAP) and ownership of AppSec program design.
  • Proven communication and presentation skill set abilities with multilevel stakeholders
  • Ability to meet deadlines and work with management across various disciplines
  • Proven collaborative experience with cross functional teams
  • Ability to perform on-call duties during off-hours and holidays
  • An adaptable and flexible attitude towards changing business needs

Preferred skills and experience:

  • Bachelor’s degree in computer science or related field
  • Demonstrated experience leading or conducting red team, penetration testing, or adversarial simulation exercises.
  • Experience designing and scaling security observability pipelines, including log analysis and application-layer telemetry.
  • Working knowledge of PCI-DSS, NIST, OWASP, and other regulatory frameworks; experience representing security in audit and compliance reviews.
  • Proven experience securing cloud-native or hybrid-cloud application environments (AWS, Azure, or GCP).
  • Hands-on experience building, deploying, or integrating AI/ML-powered tools, combined with the ability to assess and govern their security posture (prompt injection, data leakage, model supply chain risks).
  • Proven ability to define and enforce security standards across engineering organizations; prior experience owning a security capability or domain.
  • Security+, ISC2 CC, CompTIA A+, CompTIA Network+, SSCP, CCT, GWEB, CSSLP, CEH, or OSCP certifications

About Carters, Inc

Carter's, Inc. operates as a children's apparel and accessories company in the United States and internationally. The company operates through three segments: U.S. Retail, U.S. Wholesale, and International. Its Carter's brand products include baby products, such as bodysuits, pants, dresses, knit sets, blankets, layette essentials, bibs, booties, sleep and play products, rompers, and jumpers; play clothes comprising knit and woven cotton apparel; sleepwear products consisting of pajamas in cotton, fleece, and ploy-jersey; and other products, including bedding, outerwear, swimwear, footwear, socks, diaper bags, gift sets, toys, and hair accessories. The company also provides products under the OshKosh brand name, which comprise play clothes in denim, fleece, and other fabrics for sizes newborn to 14. It sells its products through company-operated stores, department stores, and online, as well as through other retail outlets, such as specialty stores, national chains, and mass merchants. As of January 2, 2021, the company operated approximately 800 Carter's retail stores, 100 OshKosh retail stores, and its products were available in approximately 18,000 department stores and other retail outlets in the United States, Canada, and internationally. Carter's, Inc. was founded in 1865 and is headquartered in Atlanta, Georgia.
Learn more about Carters, Inc
Size
15,900 employees
Market Cap
$2.8 billion
Industry
Net Income
$109.7 million
Founded
1865
5 Year Trend
+1.7%
Revenue
$3 billion
NASDAQ

Similar Jobs

More Jobs at Carters, Inc

More Information Technology Jobs

Find similar Lead Application Security Engineer jobs: