Lead AppSec Engineer

Lead AppSec Engineer

At PropertyGuru , we strive to “Build Southeast Asia’s Trust Platform” and security is at the centre of building that trust with our customers, agents, and partners across Singapore, Vietnam, Malaysia , Thailand & India .

Role

• We’re looking for a Lead Application Security Engineer to shape and drive our AppSec strategy across modern, high-scale web, mobile, API, data, and AI-powered products.

• You’ll operate as a senior individual contributor partnering closely with engineering, product, and platform teams to embed security into every stage of the software development lifecycle.

• You’ll define standards and patterns, build automation, lead strategic initiatives, and act as a trusted advisor helping teams ship secure products without friction.
  

Key Responsibilities

• Set and evolve AppSec strategy across application types (web, mobile, APIs, data, AI/ML); define standards, secure-by-default patterns, and roadmap.

• Embed security across the SDLC by automating SAST, SCA, IaC scanning, DAST/API testing, container scanning, secrets detection, and license compliance.

• Harden CI/CD pipelines (GitHub Actions, Jenkins) with least privilege, ephemeral credentials, provenance controls, and policy-as-code (OPA, CODEOWNERS, branch protection).

• Lead vulnerability management using ASPM tools; automate triage, prioritization, ticketing (Jira), SLA tracking, and reporting.

• D rive application testing and assurance : threat modellin g , logic / auth Z validation, mobile testing (OWASP MASVS), and secure API design/testing .

• Secure the software supply chain : signed artifacts, SBOMs, dependency vetting, container security, and CI/CD provenance.

• Contribute to identity and Zero Trust architecture : secrets management, mTLS , RBAC, and runtime access policies.

• Partner on data and AI/ML security : data protection, vector database access control, model integrity, and privacy-by-design.

• Mentor developers and AppSec engineers , run training/code clinics, and improve developer experience with helpful tooling and fast feedback.

• Support compliance and governance (SOC 2, ISO 27001, PCI, OWASP ASVS/MASVS); automate evidence collection and document risk decisions.

• Maintain high-quality do cumentation and track actionable metrics (MTTR, coverage, SLA adherence, repeat issues).
  

Who you are

Qualifications

• Bachelor’s or Master’s degree in Computer Science , Engineering, Cybersecurity, or equivalent practical experience.

• 6+ years of experience in security engineering, DevSecOps , automation, or application vulnerability management roles.

• Advanced scripting and automation skills in Python, Go, Bash, or similar languages.

• Proven hands-on experience with security tools across the SDLC: SAST, DAST, CNAPP, ASPM, secrets scanning, vulnerability management platforms, SIEM/SOAR, and ticketing systems (e.g., Jira,).

• Strong API development and integration skills (REST, webhooks, SDKs).

• Deep familiarity with cloud environments, infrastructure-as-code, CI/CD pipelines, and modern application architectures.

• Working knowledge of compliance frameworks (NIST, ISO 27001, SOC 2,) and control automation.

• Relevant certifications (e.g., OSCP, GCSA, GIAC, AWS Security) are a plus .
  

Essential Personal Skills

• Self-starter who thrives in fast-moving environments with minimal oversight.

• Operates with high integrity, discretion, and accountability.

• Strong written and verbal communication skills, able to explain technical issues clearly to both technical and non-technical stakeholders.

• Comfortable collaborating across functions and influencing product, engineering, and risk leaders.

• Highly organized, detail-oriented, and results-driven.

• Naturally curious, innovative, and process-improvement minded.

• Experienced mentor and collaborator—able to support, guide, and grow junior team members.
  

Knowledge

• Deep understanding of application security, vulnerability management, and security automation.

• Experience integrating cloud, application s , and GRC tools into cohesive security workflows.

• Strong grasp of DevSecOps and shift-left security practices across modern SDLCs.

• Familiarity with OSINT, threat intelligence tooling, and detection/hunting automation.

• Working knowledge of Zero Trust, identity-based controls, and layered security architecture.