Application Security Lead

Gett is a Ground Transportation Solution with the mission to organize all the best mobility providers (delivery, corporate fleet, ride-hailing, taxi, enterprise solutions like car pooling, and more) in one global platform, with great UX - optimizing the entire experience from booking and riding to invoicing and analytics, to save businesses time and money. We work with a third of the Fortune 500 companies and have over 17K active business customers across the world.

We are seeking a highly skilled and hands-on Application Security Lead to take ownership of our product and infrastructure security. Reporting directly to the CISO with a dotted line to the CTO, you will act as the critical bridge between our Security and Engineering teams, driving a robust "security-first" culture.

While this role encompasses both application and infrastructure security, our primary focus is on the Application Security domain. You will lead our transition towards a mature DevSecOps organization, ensuring that security is seamlessly embedded into every phase of our SDLC without compromising delivery speed.

Key Responsibilities

Application Security & Secure Engineering

• Secure SDLC Integration: Embed security practices throughout the entire SDLC, from initial design and planning to deployment and maintenance.
• Threat Modeling & Architecture: Lead threat modeling (e.g., STRIDE) and architectural reviews for high-risk features like authentication, PII, and payments.
• AppSec Tooling & Automation: Integrate and manage automated security scanning (SAST, SCA, DAST) within CI/CD pipelines to ensure code integrity seamlessly.
• Mobile & API Security: Enforce least-privilege models for API configurations. Lead security initiatives specifically tailored to mobile environments (iOS/Android), protecting Gett's core mobility platform.
• Offensive Security & Pentesting: Orchestrate internal red teaming and external penetration tests for web and mobile applications. Manage Vulnerability Disclosure Programs (VDP) / Bug Bounties.
• Developer Empowerment & DevEx: Collaborate with developers to provide automated tools, coding guidelines, and frictionless guardrails for secure-by-design development, ensuring security acts as an enabler, not a blocker.
• Incident & Vulnerability Management: Act as the technical escalation point for application security incidents, leading detection and recovery efforts, while prioritizing vulnerabilities across the product suite for timely remediation.
  
  

• Cloud & Network Posture: Manage cloud security posture (CSPM) across AWS/GCP and oversee broad network security measures, including WAF, Bot management, and environment segmentation.
• Pipeline & Secrets Management: Secure the CI/CD infrastructure against tampering and enforce robust secret management and secure repository controls across the organization.
• Resilience & Recovery: Manage disaster recovery (DR) and business continuity planning for production environments.
  
  

• DevSecOps Strategy: Lead the strategic evolution of DevOps into a mature DevSecOps model, aligning with industry frameworks like OWASP SAMM and NIST SSDF.
• Metrics & Measurement: Define and track key security metrics (e.g., MTTR, vulnerability density) to measure and improve program effectiveness.
• Security Champions: Build and mentor a Security Champions program within R&D to scale security knowledge and foster a grassroots culture.
• Compliance & Privacy: Ensure continuous compliance with PCI-DSS, ISO27001, and GDPR, championing privacy-by-design principles across all user data and R&D operations.
  
  

• 5+ years of proven experience with a strong emphasis on Application Security, Product Security, and Developer interaction. Cloud/Infrastructure security experience is highly valued but secondary to AppSec expertise.
• Hands-on experience with AppSec tooling across the CI/CD pipeline, mobile application security (iOS/Android), and robust API security management.
• Solid understanding of cloud architectures (AWS/GCP), secret management, and security posture tools.
• Deep understanding of OWASP SAMM, NIST, Threat Modeling (STRIDE), and regulatory standards (PCI-DSS, GDPR).
• Exceptional communication skills with the ability to bridge the gap between engineering, C-level executives (CISO/CTO), and security teams to embed a security culture seamlessly.