Application Security Lead (m/f/d)

METRO is a leading international food wholesaler serving hotels, restaurants, caterers (HoReCa), and independent merchants (Traders). With approximately 15 million customers worldwide, METRO offers a multichannel shopping experience through large stores and digitally supported delivery services (Food Service Distribution, FSD). Additionally, METRO MARKETS is an expanding online marketplace for professional customers, active since 2019. The company is committed to sustainability, listed on indices like MSCI, Sustainalytics, and CDP. Operating in over 30 countries with more than 85,000 employees, METRO generated €31 billion in sales in FY 2023/24.

Our “sCore” growth strategy and shared values—curiosity, determination, courage, drive, commitment, and trust—guide us. We foster a collaborative “ONE METRO” spirit, emphasizing continuous improvement and a strong commitment to wholesale. Learn more at careers.metroag.de.

This role involves defining security requirements for METRO's cloud platforms, based on industry standards and regulations, and monitoring their fulfillment. It requires expertise in security threats, controls, and technologies related to IaaS, PaaS, SaaS cloud platforms, and associated IT resources.

1. Contribute to developing guidelines and standards for application security, cryptography, and related areas in software development.
2. Ensure that all software development lifecycle (SDLC) stages adhere to best practices in information security and data privacy.
3. Develop and maintain technologies and processes for continuous software development (CI/CD pipelines), including automated security validations.
4. Support software engineering teams in addressing vulnerabilities and weaknesses.
5. Assist cyberdefense and engineering teams in assessing risks from vulnerabilities in software and third-party libraries.

• Master's degree in Computer Science, Information Security, or related field.
• At least 3 years of experience in cybersecurity, application security, or software engineering.
• Knowledge of security standards (e.g., OWASP, ISO 27001, NIST).
• Experience with threat modeling (e.g., STRIDE).
• Proven experience implementing DevSecOps with SCA, DAST, and SAST in CI/CD pipelines.
• Understanding vulnerability prioritization approaches.
• Ability to produce detailed, actionable analysis reports.
• Strong project management and stakeholder communication skills.
• Broad knowledge of security architectures in IT and OT environments.
• Fluent in English.

• Flexible working hours and mobile working options, with 30 days of holidays.
• Comprehensive training programs.
• Health initiatives, medical care, and employee assistance programs.
• Campus amenities: gym, sports classes, coffee bar, canteen, and events.
• Employee discounts and good transport options.
• Company pension contributions.
• Family support: daycare centers and holiday camps.