Application Security Expert

Carlsberg

  • Hong Kong
  • Permanent
  • Full-time
  • 19 days ago
Application Security ExpertThis is an exciting opportunity to join our Global Application Security team as an Application security expert, where you will play a critical role in driving and executing software security initiatives in Carlsberg for our Asia and China Markets. This role will ensure all software assets—developed or procured—meet both technical security requirements and governance, risk, and compliance (GRC) obligations in China and Asia markets. The expert will act as the Subject Matter Expert (SME) in application security, conducting architectural reviews, guiding remediation, and ensuring applications are compliant to internal security policies and local regulatory such as China's Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL), Multi-Level Protection Scheme (MLPS) certification and other local market requirements.Who We AreThe Global Application Security team is focused on embedding SSDLC practices, governance and technologies to guarantee secure and compliant delivery of all software solutions—whether in-house, outsourced, or procured. We empower software teams to build applications that are secure and compliant with evolving regulatory demandsWhat you’ll be doingThis role demands deep expertise in application security, a solid understanding of secure development practices, hands-on experience with security tools and frameworks, and a strong grasp of local market cybersecurity laws and regulatory requirements. You will play a key role in ensuring that security is embedded throughout the development lifecycle by engaging with both internal teams and third-party vendors with a special focus on ensuring effective controls are implemented for applications and software assets in Asia markets. With a dedicated focus on the business operations in China and Asia markets, this role necessitates regular travel to the southeastern region of China to collaborate with local teams and ensure effective security practicesYour primary tasks and responsibility include/Specifically, your key responsibilities are:
  • SSDLC Implementation: Drive the adoption and execution of Carlsberg’s SSDLC processes and tools throughout all phases of application development, from defining security requirements to final review and release. Integrate security controls into Agile, DevOps, and CI/CD pipelines to enable early vulnerability detection (“shift left”).
  • Vulnerability Management: Coordinate remediation efforts for security findings, track progress, and ensure timely resolution in partnership with development teams and third-party vendors.
  • Tool Integration: Manage the integration and ongoing use of security testing tools including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Application Security Posture Management (ASPM).
  • Risk Profiling & Threat Modelling: Conduct risk assessments and threat modelling to tailor SSDLC activities
  • MLPS Certification: Own and maintain Multi-Level Protection Scheme (MLPS) certifications for applications in China, ensuring adherence to national security requirements and improving Carlsberg’s security posture.
  • Architectural Security Reviews: Perform secure design and architecture reviews for new applications and major changes, collaborating closely with solution architects and engineering teams.
  • Third-Party application Assessments: Evaluate security posture of third-party and SaaS applications, including vendor risk assessments and compliance with data protection laws and internal standards.
  • Compliance & Regulatory Alignment: Ensure all applications comply with relevant local security and privacy regulations (e.g., China PIPL, India DPDP), with a strong focus on Chinese cybersecurity and MLPS requirements.
  • Policy & Governance: Develop, maintain, and enforce application security policies, procedures, and documentation aligned with global standards such as OWASP, CIS Controls, ISO 27001, and local laws.
  • Stakeholder Collaboration: Act as the SME and main point of contact for application security within Asia and China, collaborating with development, product, legal, and security teams as well as third-party vendors.
  • Reporting & Metrics: Define and report KPIs to monitor SSDLC maturity, compliance status, and risk reduction across Asia region. Maintain consistent governance through documentation and standards
What we’re looking for
  • Proven expertise in application security, SSDLC implementation, and security testing methodologies.
  • Deep knowledge of OWASP standards (Top 10, ASVS), CWE/SANS Top 25, and secure coding best practices.
  • Hands-on experience with security tools such as SAST, DAST, SCA, ASPM, and vulnerability management platforms.
  • In-depth understanding of Chinese cybersecurity laws (CSL, DSL, PIPL), network data security regulations, and MLPS certification requirements, especially Level 3.
  • Experience in driving and maintaining MLPS certification processes for software applications.
  • Strong skills in developing, documenting, and enforcing security policies and procedures.
  • Familiarity with infrastructure and application security concepts, including network security, cloud security (CASB), remote work security, and application vulnerability assessments.
  • Ability to work effectively with cross-functional teams—developers, architects, product managers, and vendors.
  • Excellent communication, documentation, and stakeholder engagement skills.
  • Analytical mindset with strong attention to detail and proactive risk mitigation approach.
What you can expectWe’re asking for a lot, but you’ll be well-rewarded with:
  • Focus on your development & learning
  • Fun and informal work atmosphere, in a truly global team
  • Flexible work environment supporting a work/study life balance
  • Lots of responsibility, high expectations and trust from the start
  • Great professional challenges and chances to grow
  • Company Friday bars, employee benefits and participation in Tech events
Carlsberg Integrated Information Technology (IIT)Carlsberg IIT is the global provider of business services to all functions, regions and markets in the Carlsberg Group. This includes business process design, system solutions, shared services and system operations. IIT employs approx. 600 people. A tight collaboration with the local markets is established in all three regions; Western Europe, Eastern Europe and Asia. Carlsberg IIT is situated in Valby, Copenhagen. Carlsberg IIT is overall responsible for the provision of IT and data services across all Carlsberg functions and markets, the words ‘Technology’ and ‘Information’ is given. The word ‘Integrated’ refers to the fact that the IIT Function will operate in close alignment with the business agenda of functions and regions. Furthermore, ‘Integrated’ hints that services provided by IIT should be a naturally embedded part of our colleague’s work.Interested?Apply through the link. Please notice that this is the only way we accept applications. Deadline for applying is 15th of September . We read applications continuously, and vacancies may be filled sooner than the deadline, so we encourage you to apply as early as possible.We look forward to receiving your application.Carlsberg Group: Brewing for a better today and tomorrowAll applications applied through our system will be delivered directly to the advertiser and privacy of personal data of the applicant will be ensured with security.

CTgoodjobs