AppSec Jobs
← Back to all jobs

EPAM Systems

Senior Security Engineer

SlovakiaWebsite

Full details on LinkedIn

The complete job description, requirements, and application details are available on the original posting.

About EPAM Systems

EPAM Systems is a global provider of digital engineering, cloud, and AI-enabled transformation services, as well as business and experience consulting. Founded in 1993 in Princeton, New Jersey, by Arkadiy Dobkin and Leo Lozner, the company has grown significantly, employing over 62,000 people across more than 55 countries. EPAM serves over 340 clients from the Forbes Global 2000, showcasing its extensive reach and expertise. The company offers a wide range of services, including advanced software engineering, digital platform strategy, design, consulting, and cloud transformation. EPAM emphasizes innovation through its "Engineering DNA,"focusing on agile delivery, big data, machine learning, and human-centric digital transformation. It has developed various solutions and tools, such as EPAM DIAL, EliteA™, and AI/RUN™, and has expanded its expertise in sectors like financial services, healthcare, and manufacturing.

Industry

information technology & services

Employees

62,000

34033 engineers

Revenue

$4.7B

Website

Visit →

Security at EPAM Systems

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

  • EPAM's AppSec philosophy emphasizes that CISOs are not meant to hinder innovation but to ensure it's done securely, evolving from gatekeepers to collaborative partners who work with various security and non-security teams. Their risk philosophy involves layering cybersecurity techniques to make the yield not worth it for attackers and letting go of insecurity.
  • Stated goals include injecting security champions into projects to enhance security culture, ensuring passwords are never hard-coded, and fostering security awareness by helping developers understand risks.
  • A gap identified is the lack of a publicly available explicit AppSec charter or single-line mission statement beyond leadership commentary.

Security Team

The organizational structure and reporting line for AppSec are not publicly available, including an explicit org chart or formal reporting chain. The key public-facing leader identified is Sam Rehman, Chief Information Security Officer, SVP, who states that 'CISOs are evolving from gatekeepers to collaborative partners'. A definitive top-3 list of AppSec leaders is not publicly available. The team size estimate is also not publicly available, despite a LinkedIn search. As of, there is 1 active AppSec job posting for a 'Senior Application Security Engineer'. Common skill and tool patterns from job postings include strong experience with Checkmarx CxSAST or other SAST tools, familiarity with GitHub and integrating security scans into CI/CD pipelines, experience with Python, Go, or other scripting languages, familiarity with CI/CD tools like Jenkins, GitLab CI/CD, or Azure DevOps, experience with Docker and Kubernetes, and understanding of Terraform or Ansible. Gaps include definitive team headcount, formal reporting line, and named AppSec leadership beyond Sam Rehman.

Key Initiatives

EPAM has a Security Champions Program, with evidence stating that 'Injecting security champions into projects enhances security culture' and that teams 'Assign someone from the engineering team to the Security Champion role.' They practice 'Shift Left' by 'shifting security left, or earlier in the development/configuration lifecycle' and aim to 'integrate SAST/DAST tools into the CI/CD pipeline'. For Vulnerability Management, intake involves conducting 'security reviews, threat modelling and review penetration test results for applications' and staying 'updated on the latest security threats and ensure our scanning rules evolve accordingly'. However, explicit published SLAs, MTTR targets, or ticketing ownership details for AppSec remediation are not publicly available. Secure SDLC Artifacts include 'threat modeling, secure code review, vulnerability assessment, penetration testing', but 'security reviews for all major features' is not publicly available as a direct verbatim EPAM statement. No explicit, dated public statements describing new AppSec programs, tool rollouts, or policy changes were found for recent initiatives (last 6 months). Gaps include no public, dated SLAs or remediation MTTRs, and no public, dated org chart or formal AppSec reporting line.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.