✦ Luna Orbit — Cybersecurity

Director, Product Security

at ACV Auctions

📍 Remote, US Remote 💰 $178K – $220K USD / year Posted April 06, 2026
Apply Now → ← Browse All Jobs

Position Details

Salary $178K – $220K USD / year
Type Full-Time
Experience lead
Exp. Years 10+ years
Education Not specified
Category Cybersecurity

About this role

Director of Product Security will own and mature ACV’s product and application security program, integrating security throughout the SSDLC and CI/CD pipelines. The role leads a security team, defines secure coding standards, and partners with engineering to maintain a secure, compliant platform.

Key Responsibilities

  • Design, implement, and manage the end-to-end Product Security program, focusing on securing ACV's proprietary applications and code base
  • Lead the adoption of DevSecOps practices, automating security tools and gates within CI/CD pipelines
  • Establish and enforce SSDLC requirements, including secure coding standards
  • Build, mentor, and manage a team of Product Security Engineers
  • Oversee deployment and management of SAST/DAST/SCA tools and vulnerability remediation

Technical Overview

You will drive DevSecOps adoption, manage SAST/DAST/SCA tooling, lead vulnerability remediation, and perform deep-dive security reviews of new products. The role emphasizes cloud security in AWS/GCP, secure configurations for containers/microservices/APIs, and compliance with SOC 2, GDPR, and CCPA.

Ideal Candidate

The ideal candidate is a senior security leader with 10+ years in information security and at least 5 years directing product/app security in a cloud SaaS environment. They excel at building and maturing SSDLC programs, leading security teams, and communicating risk to executives while driving DevSecOps across AWS/GCP.

Must-Have Skills

10+ years experience in Information Securityat least 5+ years directly focused on Product Security or Application Security in a leadership roleProven experience building and leading a centralized Product Security/AppSec programDeep SSDLCCI/CDand DevSecOps knowledgeStrong understanding of security frameworks (NIST CSFISO 27001CIS Controls)Extensive cloud security experience (AWS and/or GCP)Experience with modern software development including Agentic and Generative AI techniquesExpertise with SASTDASTMASTSCAAPI security platformsand WAF

Nice-to-Have Skills

Fintech experienceExperience with AI model development and guardrailsExperience with external security testing and bug bounty programsGRC / regulatory compliance experience

Tools & Platforms

Amazon Web ServicesGoogle Cloud PlatformAWSGCPWAFSASTDASTSCA

Required Skills

10+ years information security; 5+ years in Product Security or AppSec leadership; SSDLC; CI/CD; DevSecOps; SAST; DAST; SCA; WAF; vulnerability management; threat modeling; penetration testing; SOC 2; GDPR; CCPA; NIST CSF; ISO 27001; cloud security; AWS; Google Cloud Platform; containerized applications; microservices; APIs; cloud security

Hard Skills

SSDLCCI/CDDevSecOpsSASTDASTSCAWAFVulnerability managementThreat modelingPenetration testingSecure Software Development LifecycleSOC 2GDPRCCPANIST CSFISO 27001AWSAmazon Web ServicesGoogle Cloud PlatformGCPcontainerized applicationsmicroservicesAPIsCloud securitySecurity testing toolsSecure coding standards

Soft Skills

LeadershipCommunicationInterpersonal skillsStrategic thinkingStakeholder managementCollaborationTranslating risks into business contextRemote collaboration

Certifications

Preferred

CISSPAWS Certified Solutions Architect – AssociateAWS Certified Developer – Associate

Industry & Role

Industry SaaS
Job Function Lead the Product Security program across ACV's software products and platforms, maturing SSDLC and security practices.
Role Subtype Security Architect
Tech Domains Amazon Web Services, Google Cloud Platform, Cloud security, SAST, DAST, SCA, WAF, APIs, CI/CD, DevSecOps

Keywords for Your Resume

director of product securityproduct securityapplication securitydevsecopsSSDLCCI/CDSASTDASTSCAWAFVulnerability managementThreat modelingPenetration testingSOC 2GDPRCCPANIST CSFISO 27001AWSAmazon Web ServicesGoogle Cloud PlatformGCPcontainerized applicationsmicroservicesAPIsCloud securitySecurity testing toolsssd lcci/cdsastdastscaaws

Deal Breakers

Less than 10 years of information security experience, Lack of leadership experience in product/application security, No cloud security experience in AWS or GCP, No experience with SSDLC, SAST/DAST/SCA

Apply for this Position →

Get matched to jobs like this

Luna finds roles that fit your skills and career goals — no endless scrolling required.

Create a Free Profile