TC-CS-CTM-AppSec-Manager
Job description
At EY, you’ll have the chance to build a career as unique as you are, with the global scale, support, inclusive culture and technology to become the best version of you. And we’re counting on your unique voice and perspective to help EY become even better, too. Join us and build an exceptional experience for yourself, and a better working world for all.
TEM Manager – DevSecOps
As part of our Cyber Security team, you will lead and drive Secure SDLC (SSDLC) practices across the software development lifecycle, ensuring security is embedded into design, development, testing, and deployment processes. You will be responsible for defining security standards, processes, and governance for applications, infrastructure, and enterprise systems, while guiding teams on secure engineering practices. Working closely with DevOps, Architects, Developers, and QA teams, you will enable the delivery of secure, resilient applications, oversee security assessments, and provide clear, actionable insights on risks, findings, and remediation strategies.
The opportunity
We’re looking for a Manager – Application Security & DevSecOps with strong consulting and leadership experience. This role offers the opportunity to drive end-to-end AppSec and DevSecOps programs, working with clients and engineering teams to embed security across CI/CD pipelines. You will lead teams, engage stakeholders, and enable secure adoption of AI-driven and GenAI solutions, helping organizations scale modern, future-ready security practices.
Your Key Responsibilities
- Lead application security consulting engagements, working closely with clients to define, design, and implement scalable AppSec and DevSecOps programs aligned to business objectives.
- Manage and oversee large-scale, enterprise applications ensuring security is embedded across the SDLC.
- Drive end-to-end application security program development, including governance, tooling strategy, operating model, and maturity roadmap.
- Perform current-state DevSecOps and AppSec maturity assessments (OWASP SAMM, NIST SSDF, BSIMM), identify gaps, and provide actionable recommendations to clients.
- Architect and implement DevSecOps programs, integrating security controls into CI/CD pipelines (SAST, SCA, DAST, secrets scanning, IaC, container security).
- Provide technical leadership and team management, guiding and mentoring junior consultants, reviewing deliverables, and ensuring quality outcomes.
- Engage directly with client stakeholders (technical and executive), communicating risks, strategies, and security posture improvements effectively.
- Translate complex security concepts into business-aligned insights for senior leadership and non-technical stakeholders.
- Lead secure SDLC enablement, including secure coding practices, source code reviews, and vulnerability remediation guidance.
- Design and implement automation strategies for security tools (SAST/DAST reporting, pipeline integrations, dashboards).
- Drive adoption of agile and lean product development principles, embedding security into iterative development cycles.
- Define and implement AppSec governance frameworks, policies, standards, and metrics for continuous improvement.
- Support business development activities
- Develop custom security solutions and accelerators to proactively mitigate risks across the organization.
- Integrate AI/ML capabilities into application security programs, including risk prioritization, anomaly detection, and intelligent vulnerability management.
- Lead initiatives around AI security and secure adoption of GenAI/LLMs, including threat modeling, prompt security, and secure integration into enterprise environments.
Skills and Attributes for Success
- Proven experience in application security consulting and advisory, including client-facing program delivery.
- Experience with scripting / programming skills (e.g., Python, PowerShell, Java, Perl etc.) updated and familiarized with the latest exploits and security trends.
- Strong expertise in building and scaling AppSec/DevSecOps programs in enterprise environments.
- Hands-on experience with manual and automated Threat modeling, SAST, DAST, and SCA assessments.
- Strong team management and leadership skills, with experience mentoring and managing distributed teams.
- Excellent client communication and stakeholder management skills, including interaction with senior leadership.
- Experience in designing and implementing DevSecOps CI/CD pipelines using both open-source and enterprise tools.
- Proficiency in scripting/programming (Python, PowerShell, Java, etc.) with awareness of latest exploits and security trends.
- Familiarity with DAST tools (Acunetix, WebInspect, AppScan, Burp Suite), SAST,SCA tools (Checkmarx, Fortify, Veracode, Coverity), container and cloud security tools.
- Experience in performing Threat modeling using STRIDE methodologies.
- Experience integrating security into SCM platforms (GitHub, GitLab, Bitbucket) using webhooks, actions, and pipeline controls.
- Strong knowledge of web application security (OWASP Top 10) and secure coding practices.
- Experience across container security, IaC security, and compliance-as-code implementations.
- Ability to optimize DevSecOps pipelines and define security maturity models and KPIs.
- Strong understanding of Agile, DevOps, and Lean development practices.
- Exposure to AI/ML and GenAI technologies, including their usage in secure SDLC, automation, and developer productivity.
- Understanding of AI/ML security risks (model poisoning, prompt injection, data leakage) and mitigation techniques.
- Experience or familiarity with AI-assisted security tools (e.g., AI-driven code analysis, automated triaging, LLM-based secure coding support).
To qualify for the role, you must have
- BE/ B.Tech/ MCA.
- Minimum of 10 years of work experience in application security, Secure SDLC and DevSecOps.
- Certifications: Mandatory to have any one of the below certifications,
- Azure Security Architect (Az-500)
- AWS security speciality certification (SCS-C01)
- Knowledge of Windows, Linux, UNIX, any other major operating systems.
- Strong Excel and PowerPoint skills.
Ideally, you’ll also have
- Project management skills
- Certifications: CSSLP, CISSP, Certified DevSecOps Professional
What we look for
- A candidate who can design and build a complete DevSecOps programme and work around a maturity model, optimizing the pipeline to integrate the best tools according to the client requirement.
EY | Building a better working world
EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.