All roles

Open role

Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce)

Remote · Mexico Full-time

Department: Information Technology Location: Remote Compensation: $150,000 - $180,000 / year Description At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you’ll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage. Thorne is seeking a Senior DevSecOps / Security Engineer – Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle.

Responsibilities

Application & Ecommerce Security

  • Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)
  • Address OWASP Top 10 and ecommerce-specific risks, including:
  • Injection (SQL/NoSQL), XSS, CSRF
  • Broken authentication / session management
  • Business logic flaws (checkout, pricing, promotions, abuse scenarios)
  • Account takeover, credential stuffing, bot attacks
  • Secure checkout flows, payment integrations, subscriptions, and customer data handling
  • Conduct secure code reviews and support threat modeling for new features

API & Integration Security

  • Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
  • Prevent API abuse, scraping, and data exfiltration
  • Implement and enforce secure patterns (OAuth2, JWT, token management)

DevSecOps & CI/CD Security

  • Implement and manage security tooling in CI/CD pipelines:
  • SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
  • Secure build and deployment pipelines
  • Enforce secure coding standards and automate policy checks
  • Own infrastructure-as-code security (Terraform) for app environments

AWS Cloud Security (Critical)

  • Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
  • Implement and validate:
  • IAM roles and least privilege access
  • Network segmentation (VPCs, security groups, private/public boundaries)
  • Secrets management (AWS Secrets Manager, Parameter Store)
  • Data protection (encryption at rest/in transit)
  • Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security

Runtime Protection & Detection

  • Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
  • Partner with Infra on CrowdStrike coverage for application workloads
  • Support detection and response improvements for:
  • Web/app-layer attacks
  • API abuse
  • Triage and remediate findings from:
  • Pen tests
  • Purple team exercises
  • Assumed breach scenarios

Security Program Execution

  • Translate security findings into prioritized engineering work
  • Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
  • Drive adoption of security best practices across engineering teams
  • Act as a bridge between Ecom, Infrastructure, and external security partners

What You Need Application & Ecommerce Security

  • Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices)
  • Address OWASP Top 10 and ecommerce-specific risks, including:
  • Injection (SQL/NoSQL), XSS, CSRF
  • Broken authentication / session management
  • Business logic flaws (checkout, pricing, promotions, abuse scenarios)
  • Account takeover, credential stuffing, bot attacks
  • Secure checkout flows, payment integrations, subscriptions, and customer data handling
  • Conduct secure code reviews and support threat modeling for new features

API & Integration Security

  • Secure REST/GraphQL APIs (authentication, authorization, rate limiting)
  • Prevent API abuse, scraping, and data exfiltration
  • Implement and enforce secure patterns (OAuth2, JWT, token management)

DevSecOps & CI/CD Security

  • Implement and manage security tooling in CI/CD pipelines:
  • SAST (Java-focused), DAST, SCA (dependencies), secrets scanning
  • Secure build and deployment pipelines
  • Enforce secure coding standards and automate policy checks
  • Own infrastructure-as-code security (Terraform) for app environments

AWS Cloud Security (Critical)

  • Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS)
  • Implement and validate:
  • IAM roles and least privilege access
  • Network segmentation (VPCs, security groups, private/public boundaries)
  • Secrets management (AWS Secrets Manager, Parameter Store)
  • Data protection (encryption at rest/in transit)
  • Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security

Runtime Protection & Detection

  • Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces
  • Partner with Infra on CrowdStrike coverage for application workloads
  • Support detection and response improvements for:
  • Web/app-layer attacks
  • API abuse
  • Triage and remediate findings from:
  • Pen tests
  • Purple team exercises
  • Assumed breach scenarios

Security Program Execution

  • Translate security findings into prioritized engineering work
  • Partner with external security testing partners on risk prioritization (CTRM) tied to business impact
  • Drive adoption of security best practices across engineering teams
  • Act as a bridge between Ecom, Infrastructure, and external security partners

What We Offer

  • Competitive compensation
  • 100% company-paid medical, dental, and vision insurance coverage for employees
  • Company-paid short- and long-term disability insurance
  • Company- paid life insurance
  • 401k plan with employer matching contributions up to 4%
  • Gym membership reimbursement
  • Monthly allowance of Thorne supplements
  • Paid time off, volunteer time off and holiday leave
  • Training, professional development, and career growth opportunities

Thorne is the leader in science-backed health and wellness solutions committed to helping individuals live healthier longer. As the top recommended clinical brand by healthcare practitioners, Thorne offers a comprehensive range of products including nutritional supplements and health tests designed to meet the unique needs of individuals at every stage of life. Founded in 1984, Thorne products are formulated with the highest-quality ingredients, supported by clinical research, and rigorously tested to ensure purity, potency, and efficacy. Thorne is trusted by 47,000+ health-care professionals, thousands of professional athletes, more than 100 professional sports teams, multiple U.S. National Teams, and more than five million consumers. For more information, visit Thorne.com. THORNE IS AN EQUAL OPPORTUNITY EMPLOYER

More open positions

Lead Cyber Security Engineer – Nuclear

Work from home Full-time role

Principal Security Engineer

Work from home Full-time role

Penetration Tester w/ Secret Clearance

Work from home Full-time role

Security Analyst (Remote)

Work from home Full-time role

Network & Infrastructure Security Analyst

Work from home Full-time role

[Remote] Remote Regional Healthcare Senior Finance Manager - Surgery - Dallas, Tx

Work from home Full-time role

Virtual Occupational Therapist (OT)

Work from home Full-time role

Investment Analyst

Work from home Full-time role

Manager, Product Design – Client Experience

Work from home Full-time role

Senior Software Engineer, Windows/Desktop Applications - Pasadena, CA, USA

Work from home Full-time role

Certified Remote Online Notary (RON) and Mobile Notary

Work from home Full-time role

Licensed Property & Casualty Insurance Agent - Remote USA

Work from home Full-time role

Entry Level Remote Data Entry Specialist – Precision Data Management & Digital Operations at careerzynith ($30/Hour, No Experience Required)

Work from home Full-time role

Tech Lead, Android Core Product - Dublin, Ireland

Work from home Full-time role

Temporary Customer Experience Senior Specialist – Remote Coaching, Performance Management & Compliance Excellence

Work from home Full-time role

Associate, Fund Administration (Interns)

Work from home Full-time role

No Experience Chat Support Specialist (Remote)

Work from home Full-time role

[Entry Level, No Experience] Southwest Airlines Remote Data Entry

Work from home Full-time role

Adjunct RN Faculty – PRN Miramar/Miami, FL – Psychiatric (Psych) Clinical Adjunct – Nursing

Work from home Full-time role

Field Application Engineer Ukraine

Work from home Full-time role

Integrated Cloud Consulting - Cloud FinOps Manager (Location Flexible)

Work from home Full-time role