Access Control, Agile Programming Methodologies, Amazon Web Services (AWS), Analysis Skills, Applications Security, Artificial Intelligence (AI) Agents, Automation, Bash Scripting, Benchmarking, Bill of Materials (BOM), Blog, Business Operations, CCSP - Cisco Certified Security Professional, CISSP - Certified Information Systems Security Professional, Career Development, Cloud Applications, Cloud Architecture, Cloud Computing, Computer Science, Computer Security, Continuous Deployment/Delivery, Continuous Integration, Cookies, Cross-Functional, Cryptography, Customer Relations, Customer/Client Research, DevOps, Embedded Systems, English Language, Enterprise Protection, Establish Priorities, GCP (Good Clinical Practices), Go Programming Language (Golang), ISO (International Organization for Standardization), Information Technology & Information Systems, Information/Data Security (InfoSec), Injections, Inventory Management, Leadership, Legal, Licensing Compliance, Machine Tool, Mentoring, Metrics, Microsoft Product Family, Microsoft Windows Azure, Network Operations Center, Network Security, Open Source, Operating Systems, Performance Management, Policy Development, Product Engineering, Product Lifecycle, Project/Program Management, Public/Media/Press/Analyst Relations, Python Programming/Scripting Language, Regulations, Regulatory Requirements, Research & Development (R&D), Resume Search, Risk, Risk Management, SAP, Scripting (Scripting Languages), Search Engine Keywords, Security Architecture, Security Design, Security Monitoring, Security Software, Software Development, Software Development Lifecycle (SDLC), Software Engineering, Software Testing, Sprint Planning, Standards Development, Supply Chain, Sustainability, Systems Engineering, Technical Leadership, Technical Strategy, Telemetry, Threat Modeling, Trend Analysis, U.S. National Institute of Standards and Technology (NIST), Vendor/Supplier Evaluation, Web Browsers, Willing to Travel, Writing Skills
We use cookies to offer you the best possible website experience. Your cookie preferences will be stored in your browser's local storage. This includes cookies necessary for the website's operation. Additionally, you can freely decide and change any time whether you accept cookies or choose to opt out of cookies to improve website's performance, as well as cookies used to display content tailored to your interests. Your experience of the site and the services we are able to offer may be impacted if you do not accept all cookies.
Modify Cookie Preferences
Accept All Cookies
Skip to main content
Language
- English (United States)
- Français (Canada)
- Nederlands (Nederland)
- Português (Brasil)
Employee Login
Language
- English (United States)
- Français (Canada)
- Nederlands (Nederland)
- Português (Brasil)
Employee Login
About Us
Open Roles
All Careers
Internships
Operations
Career Development
Corporate
Research and Development
Join Talent Community
COVID-19 Update
Language
US English
CA French
NL Dutch
BR Portuguese
View Profile
Employee Login
Search by Keyword
Select how often (in days) to receive an alert:
Create Alert
×
Select how often (in days) to receive an alert:
Apply now "
Apply now
- Apply Now
- Start applying with LinkedIn
Start
Please wait...
Senior Security Engineer
Date: Jun 16, 2026
Location:
Remote, OH, US
Company Overview
Hexion is a global leader in specialty chemicals, delivering innovative solutions that improve performance, sustainability, and efficiency across industries. As part of our ongoing commitment to protecting enterprise assets, customer data, and operational continuity, we are investing in a world-class security engineering function. This team is responsible for embedding security deeply into our software development lifecycle, cloud infrastructure, and enterprise operations. Ensuring that security is a first-class engineering discipline, not an afterthought.
Position Overview
The Senior Security Engineer is a hands-on technical leader responsible for architecting and operationalizing security across Hexion's software development pipelines, cloud environments, and enterprise systems. This role requires deep expertise in application security tooling (SAST, DAST, SCA), software supply chain integrity (SBOM), secrets management, cloud security posture, and DevSecOps practices.
This role ensures:
- Security is embedded at every stage of the software development lifecycle (SSDLC)
- Vulnerabilities are identified and remediated before reaching production
- Cloud and application security baselines are defined, enforced, and continuously validated
- Developer teams are equipped with secure-by-default tooling and guardrails
This is a builder's role - equal parts engineer, pen tester, and practitioner.
One-Line Summary
Build and operate the security engineering function that makes Hexion's software development lifecycles, pipelines, and cloud environments secure by design.
Key Responsibilities
- Application Security Testing (SAST / DAST / SCA)
Own the selection, deployment, tuning, and continuous operation of application security testing tools:
- Implement and manage Static Application Security Testing (SAST) tools integrated into CI/CD pipelines (e.g., Checkmarx, Synk, Semgrep, SonarQube, Veracode)
- Deploy and operate Dynamic Application Security Testing (DAST) solutions for runtime vulnerability detection (e.g., OWASP ZAP, Burp Suite Enterprise, Checkmarx)
- Integrate Software Composition Analysis (SCA) to identify vulnerabilities in open-source dependencies (e.g., Snyk, Black Duck, Dependabot)
- Establish triage workflows, severity thresholds, and developer-facing remediation guidance
- Track vulnerability metrics and report on risk reduction trends to security leadership
- Software Bill of Materials (SBOM)
Build and govern the enterprise SBOM program:
- Define SBOM generation standards across all software
- Integrate SBOM generation into build pipelines as a gating control
- Maintain SBOM inventory and correlate with known vulnerability feeds (NVD, OSV, CVE)
- Support regulatory and customer-facing SBOM disclosure requirements
- Advise engineering teams on dependency hygiene and license compliance
- DevSecOps & Pipeline Security
Embed security natively into CI/CD pipelines and developer workflows:
- Design and enforce pipeline security gates - no build ships without passing defined security checks
- Implement pre-commit hooks, PR scanning, and automated security feedback loops
- Define and enforce secure pipeline configurations across GitHub Actions, Azure DevOps, Jenkins, or equivalent
- Govern pipeline access controls, service account permissions, and artifact signing
- Partner with platform engineering to harden build infrastructure and runner environments
- Secrets Management
- Operate enterprise secrets management:
- Leverage and manage secrets management solutions (Delina, CyberArk, AWS Secrets Manager, Azure Key Vault)
- Eliminate hardcoded credentials across codebases - implement detection and remediation pipelines
- Define secrets rotation policies, access controls, and audit logging standards
- Integrate secrets injection into CI/CD pipelines and application runtimes
- Conduct periodic secrets sprawl audits and enforce zero standing secrets in code repositories
- Code & Branch Management Security
Establish and enforce secure source control practices:
- Define branch protection standards for master/main and sub-branches (required reviewers, status checks, signed commits)
- Govern repository access policies, least-privilege permissions, and PAT/token lifecycle
- Implement code scanning and secret detection on all branches, not just main
- Enforce code signing and supply chain integrity controls for release pipelines
- Audit and report on code repository posture across all engineering teams
Key Responsibilities continued...
- Cloud Security
Own cloud security architecture and posture management:
Deploy and operate Cloud Security Posture Management (CSPM) tooling (e.g., Wiz, Prisma Cloud, AWS Security Hub, Defender for Cloud)
- Define and enforce cloud security baselines across AWS, Azure, and/or GCP environments
- Enable IAM policies, network segmentation, resource tagging, and encryption standards
- Monitor for misconfigurations, excessive permissions, and drift from approved baselines
- Integrate cloud security findings into enterprise risk and vulnerability management programs
- Security Baselines & Standards
Define and enforce security baselines across the enterprise:
- Author and maintain security configuration baselines aligned to CIS Benchmarks and internal policy
- Implement automated baseline compliance validation across cloud, OS, container, and application layers
- Translate security policy into enforceable technical controls - policy as code where applicable
- Partner with compliance and risk teams to align technical baselines to regulatory requirements (SOC 2, ISO 27001)
- Secure Software Development Lifecycle (SSDLC)
Champion security throughout the entire development lifecycle:
- Define and operationalize SSDLC practices across all engineering teams - from design through deployment
- Conduct threat modeling workshops with product and engineering teams for new systems and features
- Develop security requirements, security user stories, and abuse cases for inclusion in sprint planning
- Establish security review gates at key SDLC milestones (architecture review, pre-release, post-incident)
- Collaboration & Cross-Functional Partnership
Work across teams to make security a shared responsibility:
- Serve as the primary security engineering liaison to application development, platform engineering, and DevOps teams
- Partner with the Security Operations Center (SOC) to connect pipeline telemetry with detection and response workflows
- Collaborate with GRC and risk teams to translate findings into risk-language for executive reporting
- Engage with third-party vendors and open-source communities to stay current on tooling and threat intelligence
Key Competencies
- You build and operate security tools, not just advise on them
- Understand how software is built and design security controls that developers can actually use
- Prioritize based on real risk, not just vulnerability counts
- Automation mindset you reach for code and tooling before manual processes
- You translate technical security findings into business risk for non-technical audiences
- Stay current in a fast-moving threat and tooling landscape
- Leverage AI agents for automation, validation, and task reduction.
Qualifications and Experience
Required Qualifications
- Bachelor's degree in Computer Science, Information Security, Software Engineering, or related field (Master's preferred)
- 7+ years of experience in security engineering, application security, application development, or DevSecOps roles
- Hands-on experience deploying and operating SAST, DAST, and SCA tooling in enterprise CI/CD environments
- Demonstrated experience building and managing SBOM programs at scale
- Deep expertise in secrets management platforms (AWS Secrets Manager, or equivalent)
- Strong cloud security experience across AWS, Azure, including IAM, network security, and CSPM tooling
- Experience defining and enforcing branch protection, code signing, and repository security controls
- Proficiency in one or more scripting/programming languages (Python, Go, Bash, or equivalent) for automation and tooling
- Working knowledge of SSDLC frameworks, threat modeling methodologies (STRIDE), and security requirements engineering
- Familiarity with security frameworks and standards: NIST CSF, NIST 800-53, CIS Benchmarks, OWASP Top 10, SANS 25
Preferred Qualifications
Experience with:
- Policy-as-code tooling (OPA/Rego, Sentinel, Checkov, Terrascan)
- Container and Kubernetes security (image scanning, admission controllers, runtime security with Falco or equivalent)
- Security champion program design and developer enablement
- Enterprise vulnerability management and risk-based prioritization programs
- Certifications (any of the following valued):
- CISSP, CSSLP, GWEB, GWAPT, AWS Security Specialty, Microsoft Security Engineer Associate, CCSP
Leadership Expectations
- Operate as the enterprise subject matter expert in application security, DevSecOps, and pipeline security
- Influence engineering culture toward security-first practices without being a blocker to delivery
- Drive adoption of security standards and tooling across multiple engineering teams and business units
- Mentor junior security engineers and security champions embedded in product teams
- Represent security engineering in architecture reviews, vendor evaluations, and technology strategy discussions
- Balance long-term security architecture goals with near-term operational realities and delivery timelines
Work Environment & Travel
This is a hybrid role first position 2 remote 3 in office, full time remote for an exceptional candidate outside of core footprint. Occasional travel to Hexion facilities and partner locations as required (~5-10%).
Other
We are an Equal Opportunity, Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to gender, minority status, sexual orientation, gender identity, protected veteran status, status as a qualified individual with a disability or any characteristic protected by law.
In order to be considered for this position candidates are required to submit an application for employment through our career site, be at least 18 years of age, willing to take a drug test , submit to a background investigation as part of the selection process, as well as additional periodic background checks as required by the Chemical Facility Anti-Terrorism Standards (CFATS) or regulations adopted by the Department of Homeland Security or other regulatory agencies
Candidates are required to have unrestricted authorization to work in the United States.
If currently an employee of the Company, you must have current satisfactory work performance and in most cases, have been in your current role 18 months.
Disclaimer: We are not accepting unsolicited assistance from search firms/employment agencies for this employment opportunity. Please, no phone calls or emails to any employee about this position. All resumes submitted by search firms/employment agencies to any employee of the Company via email, the Internet or in any other form and/or method without a valid written search firm agreement in place for this position will be deemed the sole property of the Company; no fee will be paid in the event a candidate is hired by the Company as a result of the unsolicited referral or through other means.
Nearest Major Market: Canton
Nearest Secondary Market: Akron
Apply now "
Apply now
- Apply Now
- Start applying with LinkedIn
Start
Please wait...
Find similar jobs:
Management Admin, Information Technology, Corporate_Internal, Corporate, All_Jobs
- Careers Home
- View All Jobs
- Top Jobs
- Privacy Policy
- Legal Notices
- Cookie Policy
- Site Cookie Manager
PRODUCTS
- Application
- Chemistry
- Industry
- Brand
COMPANY
- About
- Sustainability
- Blog
- Data Privacy for Applicants
2022 Hexion. All rights reserved.
×
Cookie Consent Manager
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Required Cookies
These cookies are required to use this website and can't be turned off.
Required Cookies
Show More Details
Required Cookies Provider Description Enabled SAP as service provider
We use the following session cookies, which are all required to enable the website to function:
- "route" is used for session stickiness
- "careerSiteCompanyId" is used to send the request to the correct data center
- "JSESSIONID" is placed on the visitor's device during the session so the server can identify the visitor
- "Load balancer cookie" (actual cookie name may vary) prevents a visitor from bouncing from one instance to another
Cookies from provider SAPasserviceprovider are required and cannot be turned off
Advertising Cookies
These cookies serve ads that are relevant to your interests. You may freely choose to accept or decline these cookies at any time. Note that certain functionality that these third parties make available may be impacted if you do not accept these cookies.
Consent to all Advertising Cookies
Show More Details
Advertising Cookies Provider Description Enabled LinkedIn
LinkedIn is an employment-oriented social networking service. We use the Apply with LinkedIn feature to allow you to apply for jobs using your LinkedIn profile. Opting out of LinkedIn cookies will disable your ability to use Apply with LinkedIn.
Cookie Policy
Cookie Table
Privacy Policy
Terms and Conditions
Consent to cookies from provider LinkedIn
Confirm My Choices
Accept All Cookies