Senior Manager, Application Security (Hybrid - Seattle)

Job Description

We are seeking an experienced and strategic Senior Manager of Application Security to lead our application security team. This role is responsible for building and maturing our application security program, embedding security throughout the software development lifecycle (SDLC), and ensuring that Nordstrom’s applications and APIs are protected against evolving threats. The ideal candidate will drive technical strategy for application security tooling, scale secure-by-design practices, and lead initiatives to integrate security seamlessly into engineering workflows while building a high-performing AppSec team. You will partner closely with product engineering, platform, and DevOps teams to deliver security at the speed of development. The right leader will bring an AI-first mindset and a proven ability to enable their team to embrace and leverage AI in their day-to-day work.

Key Responsibilities:

Strategic Leadership & AppSec Program Vision

• Develop and execute a strategic roadmap for application security across the SDLC, including secure code review, SAST/DAST/SCA tooling, API security, secrets management, and developer security enablement.
• Champion an AI-first approach to application security, identifying opportunities to leverage AI for vulnerability detection, code analysis, threat modeling automation, and developer guidance.
• Drive a shift-left security strategy, embedding security practices early in the development lifecycle and reducing time-to-remediation for application vulnerabilities.
• Create multi-quarter implementation plans for maturing the AppSec program, including bug bounty expansion, penetration testing cadence, and security champions growth, aligned with enterprise security and engineering objectives.
• Identify and prioritize application security investments based on threat intelligence, vulnerability trends, business risk, and the evolving attack surface of Nordstrom’s web, mobile, and API ecosystem.
• Establish meaningful AppSec metrics that demonstrate program maturity and business value, such as mean time to remediate (MTTR), vulnerability density trends, security debt reduction, and developer security training completion.
• Partner with security leadership to translate organizational security strategy into actionable platform implementation plans.

Program Management & Technical Execution

• Lead the design, implementation, and lifecycle management of application security tooling including SAST, DAST, SCA, IAST, secrets detection, API security testing, and developer security training platforms.
• Oversee RFP processes and technical evaluations for AppSec tooling, ensuring selected solutions integrate into CI/CD pipelines and developer workflows with minimal friction.
• Own the application penetration testing program, including scoping, vendor management, internal red team coordination, and ensuring findings are tracked to remediation.
• Establish and maintain application security standards, secure coding guidelines, threat modeling practices, and architectural review processes across engineering teams.
• Build and scale a Security Champions program that embeds security awareness and accountability within engineering squads, reducing reliance on centralized security reviews.
• Partner with engineering, DevOps, and platform teams to integrate security gates into CI/CD pipelines, ensuring automated scanning and policy enforcement at every stage of the build and deploy process.
• Lead application security incident response for vulnerabilities and exploits targeting Nordstrom’s applications, driving rapid triage, root cause analysis, and durable remediation in partnership with the SOC and engineering teams.

Team Leadership & Development

• Build, lead, and mentor a diverse team of application security engineers spanning offensive security, secure code review, AppSec tooling, and developer enablement functions.
• Establish team structure that balances proactive security engineering (tooling, automation, secure design) with reactive functions (vulnerability management, security reviews, and incident support).
• Create individual development plans that align with team members’ career aspirations and organizational needs.
• Implement performance management frameworks that recognize achievements and address development areas.
• Foster a collaborative culture that encourages knowledge sharing, continuous learning, partnership, and innovation.
• Identify and develop emerging leaders within the team to build succession pipelines.
• Foster a culture of AI adoption by modeling an AI-first mindset, enabling experimentation, and integrating AI tools into team workflows.
• Promote inclusive team practices that value diverse perspectives and approaches.

Stakeholder Management & Cross-Functional Collaboration

• Build strategic partnerships with engineering managers, directors, product managers, and platform leads to ensure security is embedded in product decisions and the engineering culture, not bolted on.
• Represent application security needs in cross-functional initiatives, architecture review boards, and steering committees, advocating for secure-by-default standards across Nordstrom’s technology ecosystem.
• Communicate complex security concepts effectively to both technical and non-technical audiences.
• Negotiate and manage dependencies with engineering teams to prioritize vulnerability remediation, ensuring AppSec findings are tracked in product backlogs and addressed within agreed SLAs.
• Collaborate with governance, risk, and compliance teams to ensure application security practices satisfy regulatory requirements (e.g., PCI-DSS, SOX) and align with industry standards such as OWASP SAMM and BSIMM.
• Partner with the SOC and incident response teams to ensure application-layer detections, WAF rules, and threat intelligence are incorporated into AppSec tooling and response playbooks.
• Advocate for application security requirements in enterprise architecture decisions, third-party integrations, and technology standards to ensure secure design is a first-class consideration.

Required Qualifications

• Bachelor’s degree in Computer Science, Information Security, or related field—or equivalent practical experience.
• 8+ years of experience in information security or cybersecurity with a strong focus on application security, secure software development, or offensive security.
• 3-5 years of experience in security management or technical lead roles, with a track record of building and leading high-performing AppSec or product security teams.
• Deep understanding of application security principles, including the OWASP Top 10, secure SDLC methodologies, threat modeling (e.g., STRIDE), API security, and web application attack techniques and defenses.
• Proven experience deploying and scaling AppSec tooling (SAST, DAST, SCA, secrets detection) within CI/CD pipelines in large, distributed engineering organizations.
• Strong knowledge of application security frameworks and maturity models (e.g., OWASP SAMM, BSIMM, NIST SSDF) and how to apply them to build a measurable, risk-based AppSec program.
• Excellent leadership, strategic thinking, and communication skills.
• Demonstrated AI-first mindset with experience adopting AI tools and enabling teams to integrate AI into their work.
• Proven ability to translate complex application security risk into developer-friendly guidance, actionable remediation advice, and business-aligned risk decisions.

Preferred Qualifications

• Master’s degree in a relevant field.
• Experience securing cloud-native applications and microservices architectures, including container security, serverless functions, and cloud-native API gateways (AWS, Azure, or GCP).
• Familiarity with AI-powered application security tools such as AI-assisted code review, LLM-based vulnerability analysis, or AI-enhanced DAST/fuzzing platforms.
• Relevant industry certifications (e.g., CSSLP, GWEB, GWAPT, OSCP, CISSP, or equivalent offensive/AppSec-focused credentials).
• Hands-on experience with AppSec tools such as Semgrep, Checkmarx, Veracode, Snyk, Burp Suite Pro, or comparable SAST/DAST/SCA platforms.
• Understanding of retail or e-commerce application security challenges, including payment security (PCI-DSS), fraud prevention, account takeover (ATO) defenses, and securing high-volume customer-facing APIs.
• Experience building or scaling a Security Champions program or developer security training initiatives within a large engineering organization.
• Background in software engineering or development — candidates who have written production code and understand the developer experience bring a meaningful advantage to this role.

Why Join Us

• Lead a high-visibility function that directly shapes the security posture of one of the largest retail technology organizations in the country, protecting customer data and business-critical applications at scale.
• Drive a modern, developer-centric approach to application security — building a program where security accelerates engineering rather than slowing it down.
• Join an innovative retailer that has embraced the responsible use of AI across our workplace and products, with the opportunity to shape how AI evolves our security capabilities.
• Work with a talented and diverse team of security professionals dedicated to protecting our customers and brand.
• Opportunity to build and scale a best-in-class AppSec program from the ground up, with the authority and resources to make lasting impact on how Nordstrom develops and ships secure software.
• Competitive compensation and benefits package.
• Collaborative, inclusive work environment that values professional growth and development.

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

• Medical/Vision, Dental, Retirement and Paid Time Away
• Life Insurance and Disability
• Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

For Los Angeles or San Francisco applicants: Nordstrom is required to inform you that we conduct background checks after conditional offer and consider qualified applicants with criminal histories in a manner consistent with legal requirements per Los Angeles, Cal. Muni. Code 189.04 and the San Francisco Fair Chance Ordinance. For additional state and location specific notices, please refer to the Legal Notices document within the FAQ section of the Nordstrom Careers site.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

© 2022 Nordstrom, Inc

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. 
Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.

$191,000.00 - $297,000.00 AnnualThis position may be eligible for performance-based incentives/bonuses. Benefits include 401k, medical/vision/dental/life/disability insurance options, PTO accruals, Holidays, and more. Eligibility requirements may apply based on location, job level, classification, and length of employment. Learn more in the Nordstrom Benefits Overview by copying and pasting the following URL into your browser: https://careers.nordstrom.com/pdfs/Ben_Overview_17-19.pdf

For more details click Job Post.