Senior Security Engineer

About Lilly

At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.

Employment Type: Full time

What You'll Be Doing

As an Application Security Engineer, you will focus on securing applications throughout the development lifecycle by developing threat models and conducting security risk analysis, implementing application security tools, and providing security guidance to development teams. You will perform vulnerability assessments of applications, educate developers on secure coding practices, and work directly with engineering teams to remediate identified security issues. This role involves translating security findings into practical remediation steps while building security capabilities within development teams.

How You'll Succeed

• Technical expertise: Demonstrate deep knowledge of application security testing methodologies, secure coding practices, and vulnerability assessment across diverse development environments.
• Risk Analysis: Conduct comprehensive security risk assessments and develop actionable threat models.
• Developer partnership: Work effectively with development teams, providing security guidance and building security awareness through education and consultation.
• Vulnerability management: Effectively identify, prioritize, and guide remediation of application security vulnerabilities while helping to ensure timely resolution.
• Security tooling: Implement, configure, and optimize SAST tools and other application security testing solutions.
• Educational leadership: Guide developers on secure coding practices and help build security knowledge across engineering teams.

Key Responsibilities

• Conduct security risk assessments and static application security testing (SAST)
• Collaborate with DevOps teams to integrate security testing into CI/CD pipelines
• Provide security consultation and guidance to development teams during the SDLC
• Educate developers on secure coding practices and vulnerability remediation techniques
• Analyze application security scan results and prioritize findings based on risk
• Create secure development materials, reference guides, and secure patterns.
• Assist with the tracking and reporting of application security metrics and remediation progress
• Perform dynamic application security testing (DAST) as needed

What You Should Bring

• Strong technical expertise in application security coding practices and testing methodologies
• Experience with SAST, DAST, and ASPM tools (e.g., Checkmarx, Burp Suite)
• Proven track record of conducting security risk assessments and vulnerability assessments
• Knowledge of common application vulnerabilities (OWASP Top 10, CWE) and remediation techniques
• Understanding of multiple programming languages and frameworks
• Experience with DevSecOps practices and CI/CD pipeline security integration in a GitHub environment
• Strong communication skills
• Ability to work collaboratively with development teams and translate security requirements into actionable guidance
• Commitment to staying current with emerging application security threats and testing technologies

Your Basic Minimum Qualifications

• High School Diploma/GED
• At least five years of experience in application security, secure code review, or related discipline
• Qualified candidates must be legally authorized to be employed in the United States. Lilly does not anticipate providing sponsorship for employment visa status (e.g., H-1B or TN status) now or in the future.