Product & Data Security Engineer (AppSec, DLP, & Privacy)

Job role: Product & Data Security Engineer (AppSec, DLP, & Privacy) Duration: Contract-to-Hire (6 12 Months) Location: Fully Remote Job Description: You embed Secure-by-Design and Private-by-Design principles directly into the SDLC by building self-service, developer-native guardrails. You do not review code manually; you design systems that make insecure or non-compliant code impossible to merge. Responsibilities Secure SDLC: Design and maintain SAST, SCA, API, and schema validation patterns using GitHub Actions with deterministic policy-as-code gates (no discretionary approvals). Data Loss Prevention (DLP): Implement source-level PHI/PII and secret detection using regex + ML classifiers in CI/CD to block sensitive data from ever entering source control or artifacts. API & Transport Security: Define non-negotiable Layer 7 standards (TLS 1.3, HSTS, OAuth/OIDC, JWT lifetimes) and automate OpenAPI linting to prevent over-exposure or data leakage. Data Protection Patterns: Build and maintain application-layer encryption, tokenization, and redaction libraries that are consumed by product teams by default. Supply Chain Security: Generate SBOMs per build, sign and attest artifacts, and enforce provenance verification at deploy time via pipeline policy. Minimum Qualifications 5+ years in AppSec or Software Engineering with data-centric security ownership. Hands-on with GitHub Actions, secret prevention tooling, API security, and OAuth/OIDC. Proficient in Python, Go, or TypeScript with strong developer empathy. Success Measures 90% of repos protected by automated DLP and secret scanning 100% APIs conforming to standardized auth and transport patterns Measurable reduction in high/critical application-layer findings