Job Description

PropertyGuru is Southeast Asia's leading PropTech company, and the preferred destination for over 32 million property seekers monthly to connect with over 50,000 agents monthly to find their dream home. PropertyGuru empowers property seekers with more than 2.1 million real estate listings, in-depth insights, and solutions that enable them to make confident property decisions across Singapore, Malaysia, Thailand and Vietnam.


PropertyGuru.com.sg was launched in Singapore in 2007 and since then, PropertyGuru Group has made the property journey a transparent one for property seekers in Southeast Asia. In the last 18 years, PropertyGuru has grown into a high-growth PropTech company with a robust portfolio including leading property marketplaces and award-winning mobile apps across its markets in Singapore, Malaysia, Vietnam, Thailand as well as the region's biggest and most respected industry recognition platform - PropertyGuru Asia Property Awards , events and publications across Asia.


For more information, please visit: PropertyGuruGroup.com ; PropertyGuru Group on LinkedIn .


Lead AppSec Engineer



At PropertyGuru , we strive to "Build Southeast Asia's Trust Platform" and security is at the centre of building that trust with our customers, agents, and partners across Singapore, Vietnam, Malaysia , Thailand & India .



Role


We're looking for a

Lead Application Security Engineer

to shape and drive our AppSec strategy across modern, high-scale web, mobile, API, data, and AI-powered products. You'll operate as a senior individual contributor partnering closely with engineering, product, and platform teams to embed security into every stage of the software development lifecycle. You'll define standards and patterns, build automation, lead strategic initiatives, and act as a trusted advisor helping teams ship secure products without friction. Key Responsibilities

Set and evolve AppSec strategy

across application types (web, mobile, APIs, data, AI/ML); define standards, secure-by-default patterns, and roadmap.

Embed security across the SDLC

by automating SAST, SCA, IaC scanning, DAST/API testing, container scanning, secrets detection, and license compliance.

Harden CI/CD pipelines

(GitHub Actions, Jenkins) with least privilege, ephemeral credentials, provenance controls, and policy-as-code (OPA, CODEOWNERS, branch protection).

Lead vulnerability management

using ASPM tools; automate triage, prioritization, ticketing (Jira), SLA tracking, and reporting.

D

rive application testing and assurance

: threat modellin g , logic / auth Z validation, mobile testing (OWASP MASVS), and secure API design/testing .

Secure the software supply chain

: signed artifacts, SBOMs, dependency vetting, container security, and CI/CD provenance.

Contribute to identity and Zero Trust architecture

: secrets management, mTLS , RBAC, and runtime access policies.

Partner on data and AI/ML security

: data protection, vector database access control, model integrity, and privacy-by-design.

Mentor developers and AppSec engineers

, run training/code clinics, and improve developer experience with helpful tooling and fast feedback.

Support compliance and governance

(SOC 2, ISO 27001, PCI, OWASP ASVS/MASVS); automate evidence collection and document risk decisions.

Maintain high-quality do

cumentation

and track actionable metrics (MTTR, coverage, SLA adherence, repeat issues). Who you are

Qualifications

Bachelor's or Master's degree in Computer Science , Engineering, Cybersecurity, or equivalent practical experience. 6+ years of experience in security engineering, DevSecOps , automation, or application vulnerability management roles. Advanced scripting and automation skills in Python, Go, Bash, or similar languages. Proven hands-on experience with security tools across the SDLC: SAST, DAST, CNAPP, ASPM, secrets scanning, vulnerability management platforms, SIEM/SOAR, and ticketing systems (e.g., Jira,). Strong API development and integration skills (REST, webhooks, SDKs). Deep familiarity with cloud environments, infrastructure-as-code, CI/CD pipelines, and modern application architectures. Working knowledge of compliance frameworks (NIST, ISO 27001, SOC 2,) and control automation. Relevant certifications (e.g., OSCP, GCSA, GIAC, AWS Security) are a plus .

Essential Personal Skills

Self-starter who thrives in fast-moving environments with minimal oversight. Operates with high integrity, discretion, and accountability. Strong written and verbal communication skills, able to explain technical issues clearly to both technical and non-technical stakeholders. Comfortable collaborating across functions and influencing product, engineering, and risk leaders. Highly organized, detail-oriented, and results-driven. Naturally curious, innovative, and process-improvement minded. Experienced mentor and collaborator--able to support, guide, and grow junior team members.

Knowledge

Deep understanding of application security, vulnerability management, and security automation. Experience integrating cloud, application s , and GRC tools into cohesive security workflows. Strong grasp of DevSecOps and shift-left security practices across modern SDLCs. Familiarity with OSINT, threat intelligence tooling, and detection/hunting automation. Working knowledge of Zero Trust, identity-based controls, and layered security architecture.

Our commitment to you:

Hybrid flexible working that focuses on outcomes over hours. Holistic rewards package covering your financial, physical & mental health. Multi-directional career development across all levels. * Inclusive benefits like equal paternity leave, supporting all employees in work-life balance.