Johnson Controls
Application Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Johnson Controls
Johnson Controls is a global leader in creating smart, safe, healthy, and sustainable buildings. Founded in 1885 by Warren S. Johnson, the company began with the invention of the electric room thermostat and has since evolved to offer comprehensive building solutions. These include heating, ventilation, air conditioning (HVAC), fire protection, and security systems. With a strong emphasis on innovation, Johnson Controls focuses on energy efficiency and sustainability through its OpenBlue platform. The company provides end-to-end solutions for the building lifecycle, covering design, installation, service, upgrades, and replacements. It operates from over 700 offices in more than 150 countries, serving various sectors such as data centers, advanced manufacturing, education, and healthcare. Johnson Controls has worked on notable projects, including energy efficiency retrofits for the Empire State Building and maximizing efficiency in the Burj Khalifa. With nearly 8,000 patents and significant investments in research and development, Johnson Controls continues to play a vital role in enhancing building environments worldwide.
Security at Johnson Controls
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Johnson Controls' AppSec philosophy involves a full lifecycle approach and a set of security practices, including a rigorous secure product development lifecycle and agile DevSecOps practices. They aim to enable developers by choosing a senior product developer or software engineer as a Security Champion for each product and providing cybersecurity expertise and guidance to application development teams, security champions, and business leaders. Their risk philosophy mandates that software designs must be modeled according to Johnson Controls threat modeling standards, and they drive efforts to quantify residual product and application risk and identify appropriate security controls. Stated goals include assisting with the coordination and tracking of vulnerability remediation activities and ensuring all application developers complete designated developer-specific cybersecurity training. A gap exists as a single, explicit mission statement beyond programmatic descriptions is not publicly available.”
Security Team
The Global Product Security (GPS) team at Johnson Controls operates autonomously from product development to provide independent cybersecurity oversight. David Ginn is identified as the Global CISO. The explicit reporting chain of the Application Security team and the team size estimate are not publicly available. As of, one active AppSec job posting (WD30257321) was found, which indicates common skill/tool patterns such as SAST, DAST, IAST, penetration testing, and threat and attack models. Specific commercial tool names are not publicly available.
Key Initiatives
Johnson Controls has a Security Champions Program where a senior product developer or software engineer is chosen for each product, and cybersecurity expertise and guidance are provided to application development teams, security champions, and business leaders. They implement 'Shift Left' practices through a rigorous secure product development lifecycle and agile DevSecOps practices, driving policy compliance for secure SDLC activities including security requirements, architectures, and threat models. Their Vulnerability Management Process includes an intake mechanism via productsecurity@jci.com and a tiered escalation process for initial triage, severity determination, and customer notification, with assistance in coordinating and tracking remediation. Explicit SLAs or ticketing system names for remediation ownership are not publicly available. Secure SDLC Artifacts include security checkpoints and assigned security roles. A recent initiative (within the last 6 months) mentions 'Zero-trust cybersecurity'. A public changelog for new AppSec tools rolled out to engineering teams is not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.