Application Security Lead

About Cbus

Created by workers, for workers, Cbus Super is one of Australia's most successful Superannuation funds. For almost four decades we've proudly represented those who help shape Australia, hard-working individuals who deserve to make the most of their retirement, no matter the industry. As an award-winning fund we've been recognised for the benefits provided to our members and our innovative investment approach. All while staying committed to our member first ethos as a proud Industry Fund.

About the Role

We're looking for a passionate and experienced
Application Security (AppSec) Lead
to join our internet-facing software engineering team. This is a unique opportunity to shape the security posture of customer-facing applications and services, working at the intersection of engineering and security. This role combines
hands-on technical expertise
with
strategic leadership
, ensuring secure design, development, and deployment of customer-facing systems.

This role demands strong subject matter expertise in
enterprise secure development practices
, along with the ability to influence and drive process improvements across the organisation. Working across multiple complex projects, the AppSec Lead will engage with a wide range of internal and external stakeholders to ensure alignment with Cbus' security policies, standards, and control frameworks.

Key Accountabilities:

• Drive threat modeling,
  secure coding practices
  , and security automation.
• Collaborate with developers to integrate security into CI/CD pipelines and monitor for vulnerabilities in code and dependencies.
• Collaborate with developers, architects, security engineers, and external vendors to promote secure coding and engineering standards across all stages of development.
• Partner with security, risk, compliance, and delivery teams to identify, assess, and address cybersecurity risks, ensuring implementation of agreed controls.
• Conduct and facilitate threat modelling and application-level risk assessments and perform security evaluations on both internal and third-party applications.
• Elicit and translate key business requirements into actionable security requirements to ensure alignment with Cbus' security objectives.
• Define, track, and report on key security metrics to measure application security posture and communicate findings to stakeholders.
• Provide security training and mentor developers/peers, participate in code reviews, and promote a culture of security awareness.
• Contribute to secure system architecture design and define cyber and information security requirements for projects and transformation initiatives.
• Support service transition into Security Services Governance and Ops teams, assist with regulatory compliance activities, and translate technical risks into business impacts.

About You

You're a seasoned security professional with a strong
foundation in software engineering
and deep expertise in
application and API security
across web, mobile, and cloud environments. You're confident leading strategic initiatives,
influencing architecture decisions
, and translating complex security concepts into clear, actionable guidance for diverse stakeholders. Whether
driving secure SDLC practices
,
shaping threat modelling frameworks
, or aligning security with business goals, you're passionate about building secure, scalable systems that enable innovation and resilience.

Your Skills & Experience

• Extensive Application Security or Software Engineering experience with a security focus. Tertiary qualifications in IT, Software Engineering, Cybersecurity or relevant certifications (CISSP, CCSP, GSSP, GWAPT, etc).
• Strong understanding of
  web application security
  (OWASP Top 10, API security, etc.).
• Strong ability to
  conduct threat modelling
  and s
  ecurity assessments of applications
  (Web/Mobile/SaaS) is crucial for this role.
• Experience with
  secure SDLC
  , DevSecOps, and
  cloud-native architectures
  (AWS, Azure, GCP)
• Excellent communication and leadership skills.
• Familiarity with container security and modern development environments.
• Display strong understanding of Infrastructure as Code (Terraform, CloudFormation, Ansible).
• Familiarity with CI/CD tools (Jenkins, Azure DevOps) and Agile practices and experience in automating security processes would be advantageous.
• Fluency in Typescript/JavaScript and Python.
• Knowledge of regulatory requirements (e.g., CPS234, Privacy), awareness of current and emerging cybersecurity threats and ability to assess their potential impact on Cbus' major stakeholders would be beneficial.
• Strong communication skills, ability to explain security concepts and issues to business stakeholders.

Belong at Cbus

We value difference, and embrace people with diverse backgrounds, experiences, gender identities, abilities and thinking styles. We believe that, with diversity of perspectives and experiences, you get better teams and outcomes. We're looking for people of all genders, races, nationalities, orientations and of all abilities to join us.

We're keen to hear from you

If you've read through the requirements of this role and you feel like you haven't fully met the criteria, we would still encourage you to apply. We're aware of accessibility barriers when it comes to applying for a job and we want to help. If you require assistance with your application, please contact our Talent Acquisition Team via

Like to know more about working with Cbus? Listen to some of our videos with members of the Cbus team on our website,

Applications Close:
15 September 2025

This is
permanent full-time
position based in
Melbourne
. To be considered, all applicants must have working rights in Australia.

Agencies, please note: All Cbus vacancies are managed by our internal Talent Acquisition Team. Should external assistance be required we will reach out to our preferred agency partners, Thank you.