• Lead cyber risk assessments and control reviews, identifying gaps and driving remediation through to closure • Act as a bridge between GRC and technical teams, confidently challenging and validating control design and implementation • Own and maintain the Internal Control Framework, ensuring it remains relevant and up to date, and act as the focal point for internal controls within Digital Technologies, including coordination with external auditors • Drive the implementation of new controls to ensure compliance with regulations the company is subject to • Partner with Digital Technology, Enterprise Risk Management, Legal & Compliance, and Internal Audit to embed security into business processes and decision-making

Title: Senior DevSecOps / Security Engineer - Application & Cloud (Ecommerce) Location: Remote United States Department Information Technology Employment Type Full Time Location Remote Workplace type Fully remote Compensation $150,000 - $180,000 / year Job Description: Senior DevSecOps / Security Engineer - Application & Cloud (Ecommerce) Department: Information Technology Employment Type: Full Time Location: Remote Compensation: $150,000 - $180,000 / year Description At Thorne, we work to deliver high-quality, science-backed solutions to empower individuals to take a proactive approach to their well-being. Each day begins with a mission to help others discover and achieve their best health. We count on our team members to challenge and push the boundaries to make that happen. At Thorne, you'll be joining a team of more than 750 passionate individuals committed to our cause of providing superior health solutions at every age and life stage. Thorne is seeking a Senior DevSecOps / Security Engineer - Application & Cloud (Ecommerce) to secure and scale our digital platforms, including Thorne.com, mobile applications, and emerging AI capabilities. This role sits at the intersection of application security, DevSecOps, and AWS cloud infrastructure, with a strong focus on protecting ecommerce systems, customer data, and high-traffic web applications. The ideal candidate will balance remediations and hands-on execution, ensuring systems are resilient, performant, and secure, while embedding security throughout the development lifecycle. RESPONSIBILITIES Application & Ecommerce Security - Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices) - Address OWASP Top 10 and ecommerce-specific risks, including: o Injection (SQL/NoSQL), XSS, CSRF o Broken authentication / session management o Business logic flaws (checkout, pricing, promotions, abuse scenarios) o Account takeover, credential stuffing, bot attacks - Secure checkout flows, payment integrations, subscriptions, and customer data handling - Conduct secure code reviews and support threat modeling for new features API & Integration Security - Secure REST/GraphQL APIs (authentication, authorization, rate limiting) - Prevent API abuse, scraping, and data exfiltration - Implement and enforce secure patterns (OAuth2, JWT, token management) DevSecOps & CI/CD Security - Implement and manage security tooling in CI/CD pipelines: o SAST (Java-focused), DAST, SCA (dependencies), secrets scanning - Secure build and deployment pipelines - Enforce secure coding standards and automate policy checks - Own infrastructure-as-code security (Terraform) for app environments AWS Cloud Security (Critical) - Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS) - Implement and validate: o IAM roles and least privilege access o Network segmentation (VPCs, security groups, private/public boundaries) o Secrets management (AWS Secrets Manager, Parameter Store) o Data protection (encryption at rest/in transit) - Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security Runtime Protection & Detection - Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces - Partner with Infra on CrowdStrike coverage for application workloads - Support detection and response improvements for: o Web/app-layer attacks o API abuse - Triage and remediate findings from: o Pen tests o Purple team exercises o Assumed breach scenarios Security Program Execution - Translate security findings into prioritized engineering work - Partner with external security testing partners on risk prioritization (CTRM) tied to business impact - Drive adoption of security best practices across engineering teams - Act as a bridge between Ecom, Infrastructure, and external security partners WHAT YOU NEED Application & Ecommerce Security - Identify and remediate vulnerabilities in Java-based applications (Spring Boot, APIs, microservices) - Address OWASP Top 10 and ecommerce-specific risks, including: - Injection (SQL/NoSQL), XSS, CSRF - Broken authentication / session management - Business logic flaws (checkout, pricing, promotions, abuse scenarios) - Account takeover, credential stuffing, bot attacks - Secure checkout flows, payment integrations, subscriptions, and customer data handling - Conduct secure code reviews and support threat modeling for new features API & Integration Security - Secure REST/GraphQL APIs (authentication, authorization, rate limiting) - Prevent API abuse, scraping, and data exfiltration - Implement and enforce secure patterns (OAuth2, JWT, token management) DevSecOps & CI/CD Security - Implement and manage security tooling in CI/CD pipelines: - SAST (Java-focused), DAST, SCA (dependencies), secrets scanning - Secure build and deployment pipelines - Enforce secure coding standards and automate policy checks - Own infrastructure-as-code security (Terraform) for app environments AWS Cloud Security (Critical) - Secure application workloads on AWS (EKS/ECS, EC2, Lambda, API Gateway, S3, RDS) - Implement and validate: - IAM roles and least privilege access - Network segmentation (VPCs, security groups, private/public boundaries) - Secrets management (AWS Secrets Manager, Parameter Store) - Data protection (encryption at rest/in transit) - Partner with Infra to ensure alignment with enterprise guardrails, while owning app-layer cloud security Runtime Protection & Detection - Implement and tune WAF, bot protection, and rate limiting for ecommerce surfaces - Partner with Infra on CrowdStrike coverage for application workloads - Support detection and response improvements for: - Web/app-layer attacks - API abuse - Triage and remediate findings from: - Pen tests - Purple team exercises - Assumed breach scenarios Security Program Execution - Translate security findings into prioritized engineering work - Partner with external security testing partners on risk prioritization (CTRM) tied to business impact - Drive adoption of security best practices across engineering teams - Act as a bridge between Ecom, Infrastructure, and external security partners WHAT WE OFFER - Competitive compensation - 100% company-paid medical, dental, and vision insurance coverage for employees - Company-paid short- and long-term disability insurance - Company- paid life insurance - 401k plan with employer matching contributions up to 4% - Gym membership reimbursement - Monthly allowance of Thorne supplements - Paid time off, volunteer time off and holiday leave - Training, professional development, and career growth opportunities

• Provide early/proactive engagement with project teams to drive business understanding and execution of the security capabilities and services needed for innovative technology solutions; End to end support for large programs. • Provide tailored security guidance (based on risk and complexity) - Interpret & apply the IAPP requirements and standards for unique technology and business initiatives. • Drive cybersecurity adoption across R&D labs and sites (Electrophysiology) to secure IT/OT assets and enable safe & secure innovation. • Lead the cyber operational portfolio from identification > consulting remediation plan > completion partnering across ISRM, business, and technology teams. • Establish data analytics to provide security posture across the business units, functions, and sites. • Assist the Security Operations Center (SOC) with security incident investigation activities; work closely with business teams to support affected users and provide liaison with central investigation team. • Drive business understanding of critical cybersecurity regulations and ensuring solutions are compliant (NIST, NIS2, Safe Data, etc.). • Support the global deployment of security initiatives with awareness sessions, identify alternative ways of working to avoid business disruptions, and review exception requests • Drive and manage security gap assessments/remediation efforts and support integration activities for the R&D portfolio for key acquisitions.

• Lead the design, implementation, and maintenance of network security infrastructure • Build secure systems and manage engineering teams • Ensure compliance with security standards and alignment with company objectives • Support architecture, design, implementation, and operations of network and cloud infrastructure • Manage critical incidents and ensure reliable network operations including DDI, Firewall, VPN and load balancing • Provide technical leadership and coach junior members of the team