Application security engineer senior

Now Brewing – Senior Application Security Engineer! #tobeapartner

From the beginning, Starbucks set out to be a different kind of company. One that not only celebrated coffee and the rich tradition, but that also brought a feeling of connection.

As a Cybersecurity Engineer Sr on our Application Security Engineering team within Global Cybersecurity Services (GCS), you will help protect the experiences millions of customers and partners rely on every day, including mobile ordering, loyalty, and partner-facing platforms. You will provide hands‑on security engineering and consultative guidance to product and engineering teams, helping ensure applications and APIs are designed, built, and operated in alignment with Starbucks security standards and resilient‑by‑design practices.

In this role, you will serve as the primary owner for key application security testing services, including in‑house penetration testing, DAST scanning, and vendor‑delivered penetration testing, including compliance‑driven testing (with App Sec oversight).

• Own and deliver core App Sec offensive security testing services by executing in‑house penetration testing, operating and continuously improving DAST scanning, and providing App Sec oversight for vendor‑delivered penetration testing, including compliance‑driven testing, to ensure quality, consistency, and risk‑based reporting and prioritization.
• Drive application security outcomes by translating findings into clear, actionable remediation guidance across web, mobile, and API services, and partnering with engineering teams to reduce repeat issues and measurably improve risk posture over time.
• Partner and influence across the enterprise by mentoring peers, advising engineering leaders, and contributing as an application security SME during security incidents and for vulnerability disclosure reports, ensuring threats are contained and lessons learned translate into stronger controls.

• Bachelor's degree in a relevant field or 5+ years of equivalent experience in cybersecurity engineering related roles.
• 6+ years of experience working in an information technology discipline.
• 6+ years of infrastructure / information security experience.
• 4+ years of experience working with infrastructure as code technologies.
• Experience deploying, configuring, and troubleshooting cybersecurity tools in enterprise environments.
• Certifications such as CISSP, CISSM or others focused on cybersecurity, data privacy or information risk management.
• Advanced knowledge of cybersecurity principles and practices.
• Experience with technologies such as firewalls, antivirus software, and intrusion detection systems.
• Experience with security frameworks and compliance requirements.
• Proficiency in implementing and managing security controls and technologies.
• Knowledge of network security protocols and concepts.
• Familiarity with operating systems and network architectures.
• In‑depth understanding of enterprise‑level cybersecurity strategies, frameworks, and technologies.
• Proficiency in conducting security assessments and audits.
• Ability to develop and implement security policies and procedures.
• Experience in managing and responding security incidents.
• Exceptional problem‑solving and troubleshooting skills.
• Excellent communication and collaboration skills, with the ability to work effectively with cross‑functional teams and stakeholders.
• Advanced experience with at least one modern programming language such as Java, Go, Python, Ruby, C++, or C#.
• Advanced proficiency interacting with APIs and automating tasks using common scripting languages.

• Experience performing offensive application security testing across web, mobile, and APIs, including manual testing techniques and secure design review.
• Experience building, operating, or scaling DAST scanning capabilities in an enterprise environment.
• Experience providing App Sec oversight for vendor penetration testing, including scoping, quality review of evidence and reporting, and retest validation.
• Familiarity with vulnerability disclosure workflows, including triage, validation, and partner…