Engineer, Application Security

Why Work for KeHE?

* Full-time

* Pay Range: $78,210.00/Yr.

- $/Yr.

* Shift Days: , Shift Time:

* Benefits on Day 1

* Health/Rx

* Dental

* Vision

* Flexible and health spending accounts (FSA/HSA)

* Supplemental life insurance

* 401(k)

* Paid time off

* Paid sick time

* Short term & long term disability coverage (STD/LTD)

* Employee stock ownership (ESOP)

* Holiday pay for company designated holidays

Overview

At KeHE, we're obsessed with creating solutions, unboxing potential, and serving others - and it all starts with you. As an employee-owned distributor of natural and organic, specialty, and fresh products, we're committed to making a positive impact and scaling our success together. With a culture that fosters development and opportunity, you'll be embarking on a career that's moving forward. When you join KeHE, you're becoming part of a team that is a force for good

Primary Responsibilities

The Application Security Engineer (App Sec) reduces application and software risk by embedding security into the secure software development lifecycle (SSDLC). This role partners closely with engineering, infrastructure, and product teams to design secure architectures, perform threat modeling, implement security testing and CI/CD controls, and drive remediation of vulnerabilities. As the organization's AI adoption expands across business and engineering teams, the incumbent will help evaluate and shape security practices for emerging AI and agentic tools, including GenAI assessments and guardrail development as these programs mature.

The role develops practical security standards, builds and operates a vulnerability operations function, improves developer enablement through reusable patterns and automation, and supports investigations related to application vulnerabilities, insecure configurations, or software supply chain risk. As with all positions at KeHE Distributors, all actions and responsibilities are expected to align with KeHE's Mission, Vision, and Values.

Essential Functions

DUTIES, TASKS AND RESPONSIBILITIES:

* Secure SDLC Integration:
Partner with software engineering teams to embed security activities (design, build, test, deploy, operate) into the SDLC, including performing threat modeling and security design reviews.

* Standards & Patterns:
Define, maintain, and promote "secure-by-default" coding standards, reusable security control patterns, and templates to scale consistent security practices.

* App Sec Tooling & Automation:
Implement, operate, and continuously tune application security testing tools (SAST, DAST, SCA, secrets, containers, IaC) within CI/CD pipelines to ensure high-signal, actionable feedback.

* Risk-Based Vulnerability Management:
Triage, validate, and prioritize application security findings based on business impact and exposure; track remediation SLAs, verify fixes, and document risk acceptances or compensating controls.

* Modern Architecture & Platform Security:
Provide security guidance on modern architectures (APIs, microservices, cloud, serverless), focusing on identity/access management (RBAC, least privilege, token handling), rate limiting, and secure configurations.

* Supply Chain & Secrets Reduction:
Mitigate software supply chain risks through strict dependency governance and secure artifact management, while driving improvements in secrets management to eliminate hard-coded credentials.

* Incident Response Support:
Assist Security Operations and engineering teams with investigating App Sec incidents (e.g., exposed secrets, exploits), and lead post-incident reviews to implement preventative guardrails.

* Governance, Risk, & Compliance:
Provide control evidence to support compliance audits and evaluate the security posture of third-party/vendor-integrated applications.

* Developer Enablement & Culture:
Foster a strong security culture by delivering security training, hosting office hours, publishing developer-friendly documentation, and demonstrating company core values.

* AI & Agentic Tool Security:
Oversee security for GenAI, RAG, and agentic tools by conducting OWASP LLM/Agentic Top 10 assessments, enforcing per-tool security checklists (blast-radius and data boundaries), and…