Senior Security Engineer

Company Overview

Hexion is a global leader in specialty chemicals, delivering innovative solutions that improve performance, sustainability, and efficiency across industries. The company is investing in a world‑class security engineering function that embeds security deeply into the software development lifecycle, cloud infrastructure, and enterprise operations.

The Senior Security Engineer is a hands‑on technical leader responsible for architecting and operationalizing security across Hexion's software development pipelines, cloud environments, and enterprise systems. The role requires deep expertise in application security tooling (SAST, DAST, SCA), software supply chain integrity (SBOM), secrets management, cloud security posture, and Dev Sec Ops  practices.

• Embed security at every stage of the SSDLC.
• Identify and remediate vulnerabilities before they reach production.
• Define, enforce, and continuously validate cloud and application security baselines.
• Equip developer teams with secure‑by‑default tooling and guardrails.
• Own selection, deployment, tuning, and operation of application security testing tools.
• Implement and manage Static Application Security Testing (SAST) tools integrated into CI/CD pipelines (e.g., Checkmarx, Synk, Semgrep, Sonar Qube, Veracode).
• Deploy and operate Dynamic Application Security Testing (DAST) solutions for runtime vulnerability detection (e.g., OWASP ZAP, Burp Suite Enterprise, Checkmarx).
• Integrate Software Composition Analysis (SCA) to identify vulnerabilities in open‑source dependencies (e.g., Snyk, Black Duck, Dependabot).
• Establish triage workflows, severity thresholds, and developer‑facing remediation guidance.
• Track vulnerability metrics and report on risk‑reduction trends.
• Build and govern the enterprise SBOM program: define generation standards, integrate SBOM into build pipelines, maintain inventory, support disclosure requirements, advise on dependency hygiene, and manage license compliance.
• Embed security natively into CI/CD pipelines and developer workflows: design and enforce pipeline security gates, implement pre‑commit hooks, PR scanning, and automated security feedback loops, enforce configurations across Git Hub Actions, Azure Dev Ops, Jenkins, or equivalent.
• Operate enterprise secrets management: leverage Delinea, Cyber Ark, AWS Secrets Manager, Azure Key Vault; detect and remediate hardcoded credentials; define rotation policies; integrate secrets injection into CI/CD pipelines and runtimes; conduct periodic secrets sprawl audits.
• Establish and enforce secure source‑control practices: define branch protection standards, govern repository access policies, implement code scanning and secret detection on all branches, enforce code signing and supply‑chain integrity controls.
• Own cloud security architecture and posture management: deploy and operate CSPM tooling, define and enforce cloud security baselines, enable IAM policies, network segmentation, resource tagging, encryption standards, monitor misconfigurations, drift, and integrate findings into enterprise risk management.
• Define and enforce security baselines across the enterprise: author and maintain baselines aligned to CIS Benchmarks and internal policy, implement automated compliance validation, translate policy into enforceable controls, partner with compliance and risk teams.
• Champion security throughout the development lifecycle: ope rationalise SSDLC practices, conduct threat‑modeling workshops, develop security requirements, establish review gates at key SDLC milestones.
• Collaborate across teams: serve as primary liaison to application development, platform engineering, and Dev Ops; partner with SOC, GRC, risk, and vendors; engage open‑source communities.

• Build and operate security tools, not just advise on them.
• Understand how software is built and design controls developers can use.
• Prioritise based on real risk, not just vulnerability counts.
• Automation mindset; reach for code and tooling before manual processes.
• Translate technical findings into business risk for non‑technical audiences.
• Stay current in fast‑moving threat and tooling landscape.
• L…