Senior Security Engineer

Company Overview

Hexion is a global leader in specialty chemicals, delivering innovative solutions that improve performance, sustainability, and efficiency across industries. As part of our ongoing commitment to protecting enterprise assets, customer data, and operational continuity, we are investing in a world-class security engineering function. This team is responsible for embedding security deeply into our software development lifecycle, cloud infrastructure, and enterprise operations.  Ensuring that security is a first-class engineering discipline, not an afterthought. 

Position Overview

The Senior Security Engineer is a hands-on technical leader responsible for architecting and operationalizing security across Hexion's software development pipelines, cloud environments, and enterprise systems. This role requires deep expertise in application security tooling (SAST, DAST, SCA), software supply chain integrity (SBOM), secrets management, cloud security posture, and DevSecOps practices. 

This role ensures: 

• Security is embedded at every stage of the software development lifecycle (SSDLC) 
• Vulnerabilities are identified and remediated before reaching production 
• Cloud and application security baselines are defined, enforced, and continuously validated 
• Developer teams are equipped with secure-by-default tooling and guardrails 

This is a builder's role — equal parts engineer, pen tester, and practitioner. 

One-Line Summary

Build and operate the security engineering function that makes Hexion's software development lifecycles, pipelines, and cloud environments secure by design.

Key Responsibilities

1. Application Security Testing (SAST / DAST / SCA) 

Own the selection, deployment, tuning, and continuous operation of application security testing tools: 

• Implement and manage Static Application Security Testing (SAST) tools integrated into CI/CD pipelines (e.g., Checkmarx, Synk, Semgrep, SonarQube, Veracode) 
• Deploy and operate Dynamic Application Security Testing (DAST) solutions for runtime vulnerability detection (e.g., OWASP ZAP, Burp Suite Enterprise, Checkmarx) 
• Integrate Software Composition Analysis (SCA) to identify vulnerabilities in open-source dependencies (e.g., Snyk, Black Duck, Dependabot) 
• Establish triage workflows, severity thresholds, and developer-facing remediation guidance 
• Track vulnerability metrics and report on risk reduction trends to security leadership 

2. Software Bill of Materials (SBOM) 

Build and govern the enterprise SBOM program: 

• Define SBOM generation standards across all software  
• Integrate SBOM generation into build pipelines as a gating control 
• Maintain SBOM inventory and correlate with known vulnerability feeds (NVD, OSV, CVE) 
• Support regulatory and customer-facing SBOM disclosure requirements 
• Advise engineering teams on dependency hygiene and license compliance 

3. DevSecOps & Pipeline Security 

Embed security natively into CI/CD pipelines and developer workflows: 

• Design and enforce pipeline security gates — no build ships without passing defined security checks 
• Implement pre-commit hooks, PR scanning, and automated security feedback loops 
• Define and enforce secure pipeline configurations across GitHub Actions, Azure DevOps, Jenkins, or equivalent 
• Govern pipeline access controls, service account permissions, and artifact signing 
• Partner with platform engineering to harden build infrastructure and runner environments 

4. Secrets Management 

• Operate enterprise secrets management: 
• Leverage and manage secrets management solutions (Delina, CyberArk, AWS Secrets Manager, Azure Key Vault) 
• Eliminate hardcoded credentials across codebases — implement detection and remediation pipelines 
• Define secrets rotation policies, access controls, and audit logging standards 
• Integrate secrets injection into CI/CD pipelines and application runtimes 
• Conduct periodic secrets sprawl audits and enforce zero standing secrets in code repositories 

5. Code & Branch Management Security 

Establish and enforce secure source control practices: 

• Define branch protection standards for master/main and sub-branches (required reviewers, status checks, signed commits) 
• Govern repository access policies, least-privilege permissions, and PAT/token lifecycle 
• Implement code scanning and secret detection on all branches, not just main 
• Enforce code signing and supply chain integrity controls for release pipelines 
• Audit and report on code repository posture across all engineering teams 

Key Responsibilities continued...

6. Cloud Security 

Own cloud security architecture and posture management: 

Deploy and operate Cloud Security Posture Management (CSPM) tooling (e.g., Wiz, Prisma Cloud, AWS Security Hub, Defender for Cloud) 

• Define and enforce cloud security baselines across AWS, Azure, and/or GCP environments 
• Enable IAM policies, network segmentation, resource tagging, and encryption standards 
• Monitor for misconfigurations, excessive permissions, and drift from approved baselines 
• Integrate cloud security findings into enterprise risk and vulnerability management programs 

7. Security Baselines & Standards 

Define and enforce security baselines across the enterprise: 

• Author and maintain security configuration baselines aligned to CIS Benchmarks and internal policy 
• Implement automated baseline compliance validation across cloud, OS, container, and application layers 
• Translate security policy into enforceable technical controls — policy as code where applicable 
• Partner with compliance and risk teams to align technical baselines to regulatory requirements (SOC 2, ISO 27001) 

8. Secure Software Development Lifecycle (SSDLC) 

Champion security throughout the entire development lifecycle: 

• Define and operationalize SSDLC practices across all engineering teams — from design through deployment 
• Conduct threat modeling workshops with product and engineering teams for new systems and features 
• Develop security requirements, security user stories, and abuse cases for inclusion in sprint planning 
• Establish security review gates at key SDLC milestones (architecture review, pre-release, post-incident) 

9. Collaboration & Cross-Functional Partnership 

Work across teams to make security a shared responsibility: 

• Serve as the primary security engineering liaison to application development, platform engineering, and DevOps teams 
• Partner with the Security Operations Center (SOC) to connect pipeline telemetry with detection and response workflows 
• Collaborate with GRC and risk teams to translate findings into risk-language for executive reporting 
• Engage with third-party vendors and open-source communities to stay current on tooling and threat intelligence

Key Competencies

• You build and operate security tools, not just advise on them 
• Understand how software is built and design security controls that developers can actually use 
• Prioritize based on real risk, not just vulnerability counts 
• Automation mindset you reach for code and tooling before manual processes 
• You translate technical security findings into business risk for non-technical audiences 
• Stay current in a fast-moving threat and tooling landscape 
• Leverage AI agents for automation, validation, and task reduction.   

Qualifications and Experience

Required Qualifications 

• Bachelor's degree in Computer Science, Information Security, Software Engineering, or related field (Master's preferred) 
• 7+ years of experience in security engineering, application security, application development, or DevSecOps roles 
• Hands-on experience deploying and operating SAST, DAST, and SCA tooling in enterprise CI/CD environments 
• Demonstrated experience building and managing SBOM programs at scale 
• Deep expertise in secrets management platforms (AWS Secrets Manager, or equivalent) 
• Strong cloud security experience across AWS, Azure, including IAM, network security, and CSPM tooling 
• Experience defining and enforcing branch protection, code signing, and repository security controls 
• Proficiency in one or more scripting/programming languages (Python, Go, Bash, or equivalent) for automation and tooling 
• Working knowledge of SSDLC frameworks, threat modeling methodologies (STRIDE), and security requirements engineering 
• Familiarity with security frameworks and standards: NIST CSF, NIST 800-53, CIS Benchmarks, OWASP Top 10, SANS 25 

Preferred Qualifications 

Experience with: 

• Policy-as-code tooling (OPA/Rego, Sentinel, Checkov, Terrascan) 
• Container and Kubernetes security (image scanning, admission controllers, runtime security with Falco or equivalent) 
• Security champion program design and developer enablement 
• Enterprise vulnerability management and risk-based prioritization programs 
• Certifications (any of the following valued): 
• CISSP, CSSLP, GWEB, GWAPT, AWS Security Specialty, Microsoft Security Engineer Associate, CCSP 

Leadership Expectations

• Operate as the enterprise subject matter expert in application security, DevSecOps, and pipeline security 
• Influence engineering culture toward security-first practices without being a blocker to delivery 
• Drive adoption of security standards and tooling across multiple engineering teams and business units 
• Mentor junior security engineers and security champions embedded in product teams 
• Represent security engineering in architecture reviews, vendor evaluations, and technology strategy discussions 
• Balance long-term security architecture goals with near-term operational realities and delivery timelines

Work Environment & Travel

This is a hybrid role first position 2 remote 3 in office, full time remote for an exceptional candidate outside of core footprint.  Occasional travel to Hexion facilities and partner locations as required (~5–10%). 

Other

We are an Equal Opportunity, Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to gender, minority status, sexual orientation, gender identity, protected veteran status, status as a qualified individual with a disability or any characteristic protected by law.

In order to be considered for this position candidates are required to submit an application for employment through our career site, be at least 18 years of age, willing to take a drug test , submit to a background investigation as part of the selection process, as well as additional periodic background checks as required by the Chemical Facility Anti-Terrorism Standards (CFATS) or regulations adopted by the Department of Homeland Security or other regulatory agencies

Candidates are required to have unrestricted authorization to work in the United States.

If currently an employee of the Company, you must have current satisfactory work performance and in most cases, have been in your current role 18 months.

Disclaimer: We are not accepting unsolicited assistance from search firms/employment agencies for this employment opportunity. Please, no phone calls or emails to any employee about this position. All resumes submitted by search firms/employment agencies to any employee of the Company via email, the Internet or in any other form and/or method without a valid written search firm agreement in place for this position will be deemed the sole property of the Company; no fee will be paid in the event a candidate is hired by the Company as a result of the unsolicited referral or through other means.