About PetroAppPetroApp is building a modern technology platform, helping customers and partners move faster with confident, reliable systems. As we scale our engineering organization, we're investing in both world-class reliability and pragmatic, high-impact security.The RoleWe're hiring a Security Lead with a strong DevOps/SRE background to build and lead our security practice while remaining hands-on across cloud infrastructure, CI/CD, and production reliability.You'll own the security strategy across the SDLC and production environment, embed security into developer workflows, lead vulnerability management and penetration testing with external vendors, and work closely with our Platform/DevOps/SRE team to ensure PetroApp's systems are both secure and reliable.What You'll DoSecurity Leadership & StrategyOwn the overall security roadmap and strategy for PetroApp, aligning it with business and product prioritiesAct as the primary security point of contact for engineering and leadershipDefine, document, and maintain security policies, standards, and guidelines for engineering teamsLead risk assessments, threat modeling, and security design reviews for major initiativesDefine and track key security KPIs and report status, risks, and progress to leadershipDevSecOps & SDLC SecurityEmbed security into the SDLC by integrating SAST, DAST, dependency and container scanning, and IaC scanning into CI/CD pipelinesEstablish secure coding practices and patterns; provide guidance and reviews for high-risk changesSet up and maintain secrets management and secrets detection across repos and environmentsDrive vulnerability management: triage findings, prioritize remediation, track SLAs, and verify fixesPartner with engineers to ensure security controls are automated and developer-friendlyCloud & Platform Security (with SRE Mindset)Own and continuously improve the cloud and platform security posture (IAM, networking, encryption, key management, hardening)Design and enforce least privilege access models and secure-by-default infrastructure baselinesEnsure security is built into core platform components such as Kubernetes, service-to-service communication, and data storesCollaborate with SRE/DevOps on secure, resilient architectures, covering scalability, failover, and disaster recoveryReliability & Incident CollaborationCollaborate with SRE/DevOps to maintain high availability and reliability of production systemsContribute to observability and monitoring with a security lens: actionable alerts, meaningful logging, and traceabilityParticipate in incident response for security-related events, including root cause analysis and long-term fixesHelp improve on-call and incident processes where security and reliability intersectExternal Security Engagements & EnablementOwn relationships with external security vendors, including penetration testing and security assessmentsScope, coordinate, and manage penetration tests; track findings through to remediation and retestingCoordinate security-related input for audits, certifications, and customer security questionnaires as neededRun security awareness and training initiatives tailored to engineers and operational teamsRequirementsWhat We're Looking For (Must-Have)5+ years of experience across DevOps/SRE/Platform Engineering and application/infrastructure security, with at least 2-3 years as a primary security owner or leadProven experience leading or owning security in a cloud-native, product-focused companyStrong DevOps/SRE background: operating production workloads, on-call experience, CI/CD ownership, automation, and infrastructure-as-codeDeep understanding of cloud security fundamentals (AWS/GCP): IAM, networking, encryption, logging, monitoringHands-on experience integrating security tooling into CI/CD pipelines (SAST, DAST, dependency scanning, container/IaC scanning)Solid Linux and networking fundamentals; comfortable debugging complex production and security issuesExperience with containers and orchestration (Docker/Kubernetes) and securing them in productionPractical knowledge of OWASP Top 10, common attack vectors, and secure coding principlesExperience managing penetration tests and/or security assessments, including scoping, coordination, and remediation follow-upExcellent communication and stakeholder management skills—able to influence and drive change without blocking deliveryNice to HaveExperience building or operating within security frameworks/compliance programs (e.g., ISO 27001, SOC 2, PCI) relevant to PetroApp's domainExposure to WAF, API security, service mesh security, and zero trust patternsExperience with SIEM/SOAR, security analytics, and detection engineering conceptsHands-on involvement in bug bounty programs or coordinated vulnerability disclosure processesCoding ability in at least one backend language (e.g., Python, Go, Node.js, Java) to build security tooling and automationExperience mentoring or managing engineers with a focus on security and platform engineeringBenefitsYou will own and shape the security function in a high-impact, hands-on lead roleYou'll work at the intersection of security, reliability, and platform engineering, directly influencing how PetroApp scalesOpportunity to work with a modern tech stack and a team that values pragmatism, automation, and continuous improvementA culture that cares about doing the right thing for customers and partners, with leadership support for investing in security and reliability