Lead AppSec Engineer

Lead AppSec Engineer 

At PropertyGuru, we strive to “Build Southeast Asia’s Trust Platform” and security is at the centre of building that trust with our customers, agents, and partners across Singapore, Vietnam, Malaysia, Thailand & India. 

Role 

• We’re looking for a Lead Application Security Engineer to shape and drive our AppSec strategy across modern, high-scale web, mobile, API, data, and AI-powered products.  

• You’ll operate as a senior individual contributor partnering closely with engineering, product, and platform teams to embed security into every stage of the software development lifecycle. 

• You’ll define standards and patterns, build automation, lead strategic initiatives, and act as a trusted advisor helping teams ship secure products without friction. 

Key Responsibilities 

• Set and evolve AppSec strategy across application types (web, mobile, APIs, data, AI/ML); define standards, secure-by-default patterns, and roadmap. 

• Embed security across the SDLC by automating SAST, SCA, IaC scanning, DAST/API testing, container scanning, secrets detection, and license compliance. 

• Harden CI/CD pipelines (GitHub Actions, Jenkins) with least privilege, ephemeral credentials, provenance controls, and policy-as-code (OPA, CODEOWNERS, branch protection). 

• Lead vulnerability management using ASPM tools; automate triage, prioritization, ticketing (Jira), SLA tracking, and reporting. 

• Drive application testing and assurance: threat modelling, logic/authZ validation, mobile testing (OWASP MASVS), and secure API design/testing. 

• Secure the software supply chain: signed artifacts, SBOMs, dependency vetting, container security, and CI/CD provenance. 

• Contribute to identity and Zero Trust architecture: secrets management, mTLS, RBAC, and runtime access policies. 

• Partner on data and AI/ML security: data protection, vector database access control, model integrity, and privacy-by-design. 

• Mentor developers and AppSec engineers, run training/code clinics, and improve developer experience with helpful tooling and fast feedback. 

• Support compliance and governance (SOC 2, ISO 27001, PCI, OWASP ASVS/MASVS); automate evidence collection and document risk decisions. 

• Maintain high-quality documentation and track actionable metrics (MTTR, coverage, SLA adherence, repeat issues). 

Who you are 

Qualifications 

• Bachelor’s or Master’s degree in Computer Science, Engineering, Cybersecurity, or equivalent practical experience. 

• 6+ years of experience in security engineering, DevSecOps, automation, or application vulnerability management roles. 

• Advanced scripting and automation skills in Python, Go, Bash, or similar languages. 

• Proven hands-on experience with security tools across the SDLC: SAST, DAST, CNAPP, ASPM, secrets scanning, vulnerability management platforms, SIEM/SOAR, and ticketing systems (e.g., Jira,). 

• Strong API development and integration skills (REST, webhooks, SDKs). 

• Deep familiarity with cloud environments, infrastructure-as-code, CI/CD pipelines, and modern application architectures. 

• Working knowledge of compliance frameworks (NIST, ISO 27001, SOC 2,) and control automation. 

• Relevant certifications (e.g., OSCP, GCSA, GIAC, AWS Security) are a plus. 

Essential Personal Skills   

• Self-starter who thrives in fast-moving environments with minimal oversight. 

• Operates with high integrity, discretion, and accountability. 

• Strong written and verbal communication skills, able to explain technical issues clearly to both technical and non-technical stakeholders. 

• Comfortable collaborating across functions and influencing product, engineering, and risk leaders. 

• Highly organized, detail-oriented, and results-driven. 

• Naturally curious, innovative, and process-improvement minded. 

• Experienced mentor and collaborator—able to support, guide, and grow junior team members. 

Knowledge 

• Deep understanding of application security, vulnerability management, and security automation. 

• Experience integrating cloud, applications, and GRC tools into cohesive security workflows. 

• Strong grasp of DevSecOps and shift-left security practices across modern SDLCs. 

• Familiarity with OSINT, threat intelligence tooling, and detection/hunting automation. 

• Working knowledge of Zero Trust, identity-based controls, and layered security architecture.