Senior Manager, Application Security

Simpson Thacher and Bartlett LLP

$190K — $220K *
Information Technology
8 - 10 years of experience
Job Overview by Ladders

Qualifications

  • Bachelor's degree in information security, IT, risk management, or equivalent experience
  • 10+ years of experience in application security or software security roles
  • Hands-on experience securing modern application ecosystems including web applications, APIs, and cloud-native workloads
  • Experience building enterprise-grade Application Security programs in complex organizations
  • Proficient in secure SDLC principles and application security testing methodologies

Responsibilities

  • Develop and mature the enterprise application security strategy
  • Define secure development standards for various application types
  • Establish minimum security requirements for critical application features
  • Integrate application security controls into CI/CD pipelines
  • Conduct threat modeling and architecture assessments for high-risk applications
  • Lead a team of application security engineers and facilitate their development
  • Communicate application security risks and recommendations to stakeholders

Benefits

  • Flexible working arrangements including hybrid work model
  • Professional development opportunities and training
  • Supportive work culture focused on innovation and continuous improvement
  • Access to cutting-edge security tools and technologies
  • Team-building initiatives and collaborative environment
Full Job Description
JOB SUMMARY
The Senior Manager, Application Security is responsible for defining, leading, and operationalizing the firm's application security program across internally developed applications, SaaS platforms, APIs, databases, generative AI platforms, and emerging application architectures. This role partners closely with application engineering, cloud, and platform teams to embed security into the software development lifecycle while enabling teams to deliver securely at scale.

The ideal candidate is a highly skilled, hands-on technical leader who can translate security requirements into practical developer workflows while enabling rapid and reliable software delivery.

JOB DUTIES & RESPONSIBILITIES
  • Develop, execute, and continuously mature the enterprise application security strategy in alignment with industry best practices, regulatory requirements, and client contractual obligations.
  • Define and maintain secure application development standards for internally developed software, third-party applications, APIs, SaaS platforms and containerized workloads.
  • Establish minimum security requirements for application authentication, authorization, encryption, secrets handling, and data protection.
  • Define, maintain, and enforce secure SDLC and DevSecOps standards across all development teams.
  • Integrate application security controls into CI/CD pipelines, developer platforms, and engineering workflows with a focus on automation and scalability.
  • Partner with Application Engineering and DevOps teams to embed automated security testing and preventive controls while maintaining security ownership of policy and enforcement.
  • Evaluate, select, implement, and manage the full lifecycle of application security tooling including:
    • SAST, DAST, SCA, and API security testing platforms
    • Container image scanning and registry security tooling
    • Kubernetes security and runtime protection solutions
    • Software supply chain security tooling
  • Design and implement integrations between application security tooling and developer workflows to minimize friction and maximize adoption.
  • Design and build automation to support application security processes including:
    • Orchestrated automated security testing.
    • Vulnerability triage and prioritization workflows
    • Developer feedback loops and ticketing system integrations
    • Exception handling, risk acceptance, and policy waiver workflows
    • Security metrics and pipeline telemetry
  • Identify and assess application security risks including vulnerable dependencies, insecure authentication patterns, data exposure risks, and insecure configuration.
  • Perform and support threat modeling, architecture reviews, and secure design assessments for high-risk, or business critical applications.
  • Support the security review, onboarding, and ongoing risk management of third-party and SaaS applications.
  • Develop and maintain metrics, dashboards, and reporting to measure application security posture, testing coverage, and vulnerability remediation effectiveness.
  • Provide application security subject matter expertise during security incidents, investigations, and post-incident remediation efforts.
  • Lead, mentor, and develop a team of application security engineers, fostering strong technical depth and career growth.
  • Partner with engineering leadership to drive secure-by-design development practices and shared accountability for risk reduction.
  • Communicate application security risks, tradeoffs, and recommendations clearly to both technical and executive stakeholders.
  • Promote a developer-friendly security culture focused on automation, guardrails, measurable risk reduction, and engineering velocity.
  • Stay current on emerging application threats, attack techniques, and defensive technologies, and apply this knowledge to continuously improve program effectiveness.


EDUCATION
Required
  • Bachelor's degree in information security, IT, risk management, related discipline, or equivalent experience

Preferred
  • Professional certifications such as CISSP, CISM, or similar


SKILLS AND EXPERIENCE
  • 10+ years of progressive experience in application security, product security, or software security engineering roles
  • Hands-on experience securing modern application ecosystems, including web applications, APIs, microservices, cloud-native workloads, container, and Kubernetes platforms
  • Demonstrated success building, scaling, and operating enterprise-grade Application Security programs within large, complex organizations, preferably in hybrid environments (on-premises, multi-cloud, Kubernetes, and SaaS).
  • Experience partnering with application, DevOps, and platform engineering teams to design and implement security controls that scale without impeding developer velocity.
  • Hands-on experience implementing and operationalizing enterprise application security tooling and integrating controls into CI/CD pipelines and developer workflows.
  • Technical Skills & Knowledge:
    • Secure SDLC principles and DevSecOps integration patterns
    • Application security testing methodologies and tooling (SAST, DAST, SCA, API testing)
    • Container security concepts, including image hardening, vulnerability scanning, secure registries, and container lifecycle management.
    • Cloud-native application security concepts
    • Software supply chain security principles
    • Security automation and scripting (Python, PowerShell, or similar)
    • CI/CD security integration patterns
  • Demonstrated ability to lead, mentor, and develop high-performing application security or product security engineering teams.
  • Strong program and project management capabilities, with a track record of delivering complex, cross-functional initiatives on time and within budget.
  • Experience operating within global organizations and collaborating effectively across diverse geographies, cultures, and business units.
  • Proven ability to manage third-party vendors and security technology providers, including evaluation, onboarding, delivery oversight, and performance management.
  • Strong interpersonal and collaboration skills, with comfort engaging regularly with senior leadership and key internal and external stakeholders.
  • Excellent executive communication and presentation skills, with the ability to clearly articulate risk, strategy, and technical concepts to both technical and non-technical audiences.
  • Strong ability to manage multiple concurrent priorities, exercise sound judgment, and effectively allocate time and resources in a fast-paced environment.
  • Proven ability to execute effectively amid ambiguity and incomplete information, applying risk-based decision-making.
  • Demonstrated continuous learning mindset, staying current on emerging technologies, security threats, vulnerabilities, and attack vectors.
  • Passion for innovation, automation, and driving continuous improvement in application security processes.


POSTING DISCLOSURE:

Simpson Thacher will not sponsor applicants for work visas for this position.

Salary Information

NY Only: The estimated base salary range for this position is $190,000 to $220,000 at the time of posting.

The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.

#LI-Hybrid

Similar Jobs

More Jobs at Simpson Thacher and Bartlett LLP

More Information Technology Jobs

Find similar Senior Manager, Application Security jobs: