At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.
As an Application Security Engineer your role is focused on advancing Lilly's Secure SDLC program through engineering, automation, and applied AI. This is a critical, builder role on the Security Architecture & Engineering (SAE) team that will own and evolve core AppSec platforms- SAST, DAST, SCA, secret scanning, secrets management, and software supply chain controls- while building the automation and AI tooling that can scale across thousands of repositories and hundreds of applications. We're targeting candidates at R4-6. Job description is below.
What You'll Be Doing:
As an Application Security Engineer, you will operate at the intersection of software engineering and security engineering- leading platforms, writing code, building integrations, and designing automation. You will take part in Lilly's Secure SDLC program end-to-end, including SAST, DAST, SCA, and secret scanning tooling; secrets management; and our emerging software supply chain capabilities. You will use technology and apply LLM-based approaches to secure application and architecture design, vulnerability triage and remediation, and the delivery of secure‑by‑default patterns across Lilly’s development ecosystem.
How You'll Succeed:
Engineering-first mentality: You bring real software development experience and treat security problems as engineering problems, automating what can be automated, integrating deeply with developer workflows, and writing production-quality code.
AI fluency: You are genuinely excited about LLMs and agentic tooling and have built things with them. You understand MCP, agent harnesses, and how to wire LLMs into real workflows — and you can tell where AI meaningfully accelerates security work versus where it shouldn't be trusted.
Platform management: Success requires running AppSec tooling as platforms with clear SLAs, telemetry, and continuous improvement rather than one-off scans and tickets.
Secure coding credibility: You have written code in multiple languages and ecosystems and can speak the developer's language. When you flag a finding or propose a control, engineers trust that you understand the tradeoffs.
Developer partnership: You build leverage through partnership—meeting development teams where they are, shipping secure-by-default patterns, and making the secure path the path of the least resistance.
Build system security: You understand that CI/CD is itself a high-value target. You have opinions on GitHub Actions OIDC, pinning actions to commit SHAs, least-privilege runners, and protecting secrets and artifacts as they move through the pipeline.
Key Responsibilities:
Evolve one or more AppSec platforms within the Secure SDLC program.
Design and build automation within Security Architecture and Engineering.
Apply LLMs, agentic frameworks, MCP servers, and tool-calling patterns.
Partner with development teams on secure coding practices, threat modeling, and remediation of findings from SAST, DAST, SCA, and secret scanning tools.
Contribute to Lilly's Secure SDLC standards and vulnerability management policy, translating policy into enforceable pipeline and platform controls.
Support the secrets management rollout and migration of applications off legacy secret stores, including code-level guidance for SDK-based and injected consumption patterns.
Produce developer-facing content, reference architectures, secure patterns, short-form instructional content and reusable code samples.
Harden Lilly's CI/CD environment against software supply chain attacks— pinned actions, OIDC-based cloud auth, runner isolation, workflow permissions, and protection of build-time secrets and artifacts.
Partner with the Cloud Security team on Infrastructure-as-Code (IaC) security — extending secure-by-default patterns and developer guardrails from application code into the infrastructure that runs it.
Your Basic Qualifications:
Bachelor's Degree in Computer Science, Information Security, Software Engineering, or related fields.
At least 2 years of dedicated application security experience
At least 2 years of software development experience with individual contributions to production systems,
At least a total of 5 years of combined experience across both rigors.
Demonstrated production coding experience in at least one of: Python, TypeScript/JavaScript, Java, Go, or C# — not solely in an advisory, review, or scripting capacity.
Experience building or integrating security automation within a GitHub environment, including GitHub Actions.
Familiarity with threat modeling in a professional setting
Hands-on experience with large language models (LLMs) in a professional or project context, such as prompt engineering, API integration, or workflow automation.
What You Should Bring:
Hands-on software development experience in at least one modern language (Python, TypeScript/JavaScript, Java, Go, or C#) with a track record of shipping working code- not just reviewing others'.
Strong expertise in application security fundamentals—OWASP Top 10, CWE, secure coding practices, threat modeling, and vulnerability assessment.
Experience operating or deeply integrating with SAST, DAST, SCA, and secret scanning tools.
Genuine enthusiasm for and hands-on experience with LLMs, prompt engineering, agentic workflows, or LLM-powered tooling—bonus points for things you have actually built and shipped.
Familiarity with secrets management platforms and patterns and with software supply chain / artifact management.
Working knowledge of cloud environments (AWS preferred; Azure or GCP welcome) and containerized workloads (ECS, EKS, Docker).
Familiarity with IaC scanning and the IaC ecosystem (Terraform, CloudFormation, Kubernetes manifests)
Strong communication skills; ability to translate security requirements into actionable engineering guidance and to represent AppSec in conversations with engineering partners.
Commitment to staying ahead of with emerging AppSec threats, tooling, and AI/LLM capabilities.
Location & Work Flexibility
This role is based at our Corporate Center in Indianapolis, IN. We offer a flexible hybrid work model, with three days onsite and two days working remotely each week, supporting both collaboration and work‑life balance.
We are also open to considering fully remote candidates based on role requirements and business needs.
Lilly is dedicated to helping individuals with disabilities to actively engage in the workforce, ensuring equal opportunities when vying for positions. If you require accommodation to submit a resume for a position at Lilly, please complete the accommodation request form (https://careers.lilly.com/us/en/workplace-accommodation) for further assistance. Please note this is for individuals to request an accommodation as part of the application process and any other correspondence will not receive a response.
Lilly is proud to be an EEO Employer and does not discriminate on the basis of age, race, color, religion, gender identity, sex, gender expression, sexual orientation, genetic information, ancestry, national origin, protected veteran status, disability, or any other legally protected status.
Our employee resource groups (ERGs) offer strong support networks for their members and are open to all employees. Our current groups include: Africa, Middle East, Central Asia Network, Black Employees at Lilly, Chinese Culture Network, Japanese International Leadership Network (JILN), Lilly India Network, Organization of Latinx at Lilly (OLA), PRIDE (LGBTQ+ Allies), Veterans Leadership Network (VLN), Women’s Initiative for Leading at Lilly (WILL), enAble (for people with disabilities). Learn more about all of our groups.
Actual compensation will depend on a candidate’s education, experience, skills, and geographic location. The anticipated wage for this position is
$126,000 - $224,400Full-time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees, including eligibility to participate in a company-sponsored 401(k); pension; vacation benefits; eligibility for medical, dental, vision and prescription drug benefits; flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts); life insurance and death benefits; certain time off and leave of absence benefits; and well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities).Lilly reserves the right to amend, modify, or terminate its compensation and benefit programs in its sole discretion and Lilly’s compensation practices and guidelines will apply regarding the details of any promotion or transfer of Lilly employees.
#WeAreLilly