Senior Application Security Consultant

Role Overview: You will be working as a Senior Application Security Consultant at Black Duck Software, Inc. using your expertise in software security, secure development practices, and framework-driven transformation planning. Your primary responsibility will be to lead client engagements to assess Application Security Programs against industry frameworks and deliver strategic roadmaps to help organizations enhance their secure software development capabilities. Key Responsibilities: - Lead AppSec Program maturity assessments using frameworks like BSIMM, NIST SSDF, and OWASP SAMM, including stakeholder interviews, evidence collection, and scoring. - Design and deliver Strategic Roadmaps outlining target states, 12-36-month plans, resource needs, and success metrics. - Facilitate workshops with executive, engineering, and AppSec leadership to align initiatives with organizational risk and compliance goals. - Deliver compelling, executive-level presentations and recommendations to CISOs, CTOs, and software leadership teams. - Contribute to internal tools and accelerators such as maturity scoring tools, roadmap templates, and reporting dashboards. - Support thought leadership through whitepapers, webinars, and conference presentations on secure software development and governance. Qualifications: Must to have: - 5-8 years of experience in application security, software assurance, or product security consulting. - Strong knowledge of frameworks such as BSIMM, NIST SSDF, or OWASP SAMM. - Experience with Open-Source Software (OSS) security, including identification, tracking, and remediation of vulnerabilities in third-party components. - Familiarity with Software Bill of Materials (SBOM) standards and tools (e.g., SPDX, CycloneDX), and their role in software supply chain transparency and compliance. - Proven experience in developing or executing maturity models, capability assessments, or multi-year roadmaps for AppSec or DevSecOps programs. - Hands-on experience with secure software development practices, including familiarity with SDLC, CI/CD pipelines, and code-level security controls. - Excellent verbal and written communication skills, with the ability to translate technical findings into clear, executive-level narratives and actionable plans. - Strong presentation and facilitation skills in client-facing environments. Nice to Have: - Prior consulting experience with a Big Four, boutique AppSec consultancy, or internal software security governance team. - Experience in software supply chain risk management (SSCRM), AI/ML assurance, or DevSecOps pipeline design. - Background in software development (e.g., Java, Python, C#) and experience working within secure SDLCs. - Industry certifications such as CEH, CISSP, CISM, or equivalent.,