Principal Application Security Engineer

At Selective, we don't just insure uniquely, we employ uniqueness.

Selective is a midsized U.S. domestic property and casualty insurance company with a history of strong, consistent financial performance for nearly 100 years. Selective's unique position as both a leading insurance group and an employer of choice is recognized in a wide variety of awards and honors, including listing in Forbes Best Midsize Employers in 2025 and certification as a Great Place to Work in 2025 for the sixth consecutive year.

Employees are empowered and encouraged to Be Uniquely You by being their true, unique selves and contributing their diverse talents, experiences, and perspectives to our shared success. Together, we are a high-performing team working to serve our customers responsibly by helping to mitigate loss, keep them safe, and restore their lives and businesses after an insured loss occurs.

The Principal Application Security Engineer serves as a strategic and technical leader in securing enterprise applications. This role is responsible for embedding security throughout the software development lifecycle (SDLC), conducting advanced security assessments, and driving compliance with internal and external standards. The engineer collaborates across agile teams, architects, and leadership to ensure robust application security posture, proactively mitigating risks and responding to incidents. The role also champions secure coding practices and fosters a culture of security awareness. All job duties and responsibilities must be carried out in compliance with applicable legal and regulatory requirements.

• Security Leadership & Strategy: Lead application security initiatives across agile teams and delivery portfolios. Define and execute scalable security strategies tailored to cloud, on-premises, and hybrid environments.
• Security Assessments & Testing: Conduct static (SAST), dynamic (DAST), and interactive (IAST) application security testing. Perform penetration testing and vulnerability assessments using industry-standard tools.
• Secure SDLC Integration: Integrate security controls into CI/CD pipelines and DevOps workflows. Promote threat modeling and automated security testing during development phases.
• Policy & Compliance: Develop and enforce application security standards and Secure SDLC policies aligned with frameworks like OWASP, NIST, and ISO.
• Monitor compliance with data privacy regulations and internal standards. Security Enablement & Training.
• Establish and manage an Application Security Champions program. Deliver training on secure coding practices and security awareness. Incident Response & Risk Management
• Lead incident response efforts related to application vulnerabilities. Continuously evaluate and improve risk mitigation strategies
• Tooling & Automation Deploy and manage security tools for code analysis, vulnerability scanning, and runtime protection. Implement runtime application self-protection (RASP) and code obfuscation techniques.
• Act as a liaison between development, architecture, and cybersecurity teams. Translate technical risks into business impacts for non-technical stakeholders.

Knowledge and Requirements

• Collaboration & Communication: Excellent communication skills, with the ability to convey complex security concepts to technical and non-technical audiences.
• Collaborates with varied stakeholders and is proactive in communication.
  Ability to adapt to rapidly changing technology, processes, business models and user behaviors.
• Technical Skills: Proficiency in cloud, security tools and technologies, such as static and dynamic analysis tools, vulnerability scanners, and penetration testing frameworks.
• Knowledge: Strong understanding of secure coding practices, OWASP Top Ten, and common security vulnerabilities. App Sec security tooling, frameworks and methodologies
• Problem-Solving: Strong analytical and problem-solving skills, with a proactive approach to identifying and addressing security issue

Education and Experience

• Experience: Minimum of 10 years of experience in application security or a related field.
• Expertise in application security practices and delivering comprehensive support to meet complex enterprise application security needs.
• Education: Bachelor's degree in Computer Science, Information Security, or a related discipline. Relevant certifications (e.g., CISSP, CEH, OSCP) are a plus.

Selective Insurance offers a total rewards package that includes a competitive base salary, incentive plan eligibility at all levels, and a wide array of benefits designed to help you and your family stay healthy, achieve your financial goals, and balance the demands of your work and personal life. These benefits include comprehensive health care plans, retirement savings plan with company match, discounted Employee Stock Purchase Program, tuition assistance and reimbursement programs, and 20 days of paid time off. Additional details about our total rewards package can be found by visiting our benefits page.

The actual base salary is based on geographic location, and the range is representative of salaries for this role throughout Selective's footprint. Additional considerations include relevant education, qualifications, experience, skills, performance, and business needs.

Selective is an Equal Employment Opportunity employer. That means we respect and value every individual's unique opinions, beliefs, abilities, and perspectives. We are committed to promoting a welcoming culture that celebrates diverse talent, individual identity, different points of view and experiences - and empowers employees to contribute new ideas that support our continued and growing success. Building a highly engaged team is one of our core strategic imperatives, which we believe is enhanced by diversity, equity, and inclusion. We expect and encourage all employees and all of our business partners to embrace, practice, and monitor the attitudes, values, and goals of acceptance; address biases; and foster diversity of viewpoints and opinions.

For Massachusetts Applicants

It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.