PepsiCo
Senior Security Engineer – Vulnerability Management & Automation
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About PepsiCo
PepsiCo, Inc. is a leading multinational food and beverage corporation, formed in 1965 from the merger of Pepsi-Cola Company and Frito-Lay, Inc. The company has grown significantly since its origins in 1898, now serving over a billion customers daily across more than 200 countries. PepsiCo operates through seven divisions, focusing on steady growth and sustainability, and has achieved over 50 years of consecutive dividend increases. PepsiCo's diverse product portfolio includes well-known beverages such as Pepsi-Cola, Mountain Dew, Gatorade, and Tropicana juices, alongside popular snack brands like Lay's, Doritos, and Quaker Foods. The company emphasizes healthier options and consumer satisfaction, supported by a robust bottling and distribution network. PepsiCo is committed to sustainable practices and positive community impact through global partnerships and farmer collaborations.
Security at PepsiCo
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“PepsiCo's AppSec mission is to "effectively and efficiently make security risks visible to the business and actionable by them."The approach to working with developers involves "Introductory knowledge of secure software development, CI/CD with an emphasis on identifying vulnerabilities at the source code level."The company's risk philosophy is guided by its Global CISO, Sara Andrews, who is "responsible for developing the risk-based information security strategy."A stated goal is to "Develop, optimize, and scale automation scripts (Python, PowerShell, Bash) to improve vulnerability detection, tracking, and remediation."Information that explicitly labels PepsiCo's AppSec stance as "developer-first"or "security sign-off"is not publicly available, nor is a public one-source statement enumerating top AppSec pain points from PepsiCo leadership.”
Security Team
Public evidence identifies a Global CISO role and security functions integrated into cyber/IT teams, but no public document clearly states AppSec reporting lines or a centralized/embedded model. Key public-facing leaders include Sara Andrews, Global Chief Information Security Officer (CISO), who is "responsible for developing the risk-based information security strategy,"and John Gift, "SVP & Global CISO, PepsiCo."There is a public contradiction in these named sources. Team size estimate is "Information not publicly available."As of, there are 3 active AppSec job postings, including "Junior Security Development Engineer,""Security Vulnerability Engineer for Emerging Technologies,"and "Senior Security Engineer – Vulnerability Management & Automation."Common skill/tool patterns from job postings include "Willingness to learn and effectively use a variety of security scanning tools, including SAST, DAST, Secret, API, SCA, and Container scanning solutions,"and the ability to "Develop custom API integrations between container/API scanning tools, ServiceNow VR & CC"and "Leverage and optimize the ServiceNow VR module for scalable vulnerability tracking."
Key Initiatives
No public evidence was found for a formal Security Champions program, though a "Shecurity Cybersecurity program"was referenced. "Shift Left"practices are indicated by "Introductory knowledge of secure software development, CI/CD with an emphasis on identifying vulnerabilities at the source code level"and the ability to "Automate the ingestion of container/API vulnerability findings into ServiceNow VR for enhanced tracking and resolution."The Vulnerability Management Process includes a Responsible Disclosure Program "Managed by HackerOne,"with an "Average time to first response 5 hours"and "Average time to triage 3 days."Operational automation involves using the "ServiceNow VR module for scalable vulnerability tracking."Secure SDLC artifacts include "security documentation, playbooks."However, no public evidence enumerates formal SDLC gate checklists, mandatory security review ceremonies, or documented SLAs for AppSec sign-off. No public statements describing new AppSec-specific programs or tool rollouts within the last six months were found.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.