SIGN IN
Lead Information Security Engineer iWeb Application Security jobs in United States
cer-icon
Apply on Employer Site
company-logo

Wells Fargo · 6 hours ago

Lead Information Security Engineer iWeb Application Security

positionCHARLOTTE, NC
timeFull-time
remoteHybrid
senioritySenior Level, Lead/Staff
date5+ years exp
Wells Fargo is seeking a Lead Information Security Engineer for their Inbound Web Application Security (iWAS) team that safeguards the public edge for enterprise web assets against sophisticated Layer‑7 attacks. The role involves designing and operating DDoS protections, implementing WAF policies, and providing security consulting to internal application stakeholders.
FinanceBankingFinTechPaymentsProperty & Casualty InsuranceFinancial ServicesInsurance
badNo H1Bnote

Responsibilities

Lead incident response for moderately complex events affecting public web applications, with emphasis on Layer‑7 attack detection, triage, containment, and recovery
Provide security consulting to internal application stakeholders, ensuring conformance with enterprise security policies and standards
Design, document, test, and maintain security controls for web applications at the edge
Engineer, deploy, and tune WAF policies/signatures (e.g., cross‑site scripting, injection, protocol anomalies), bot detection/mitigation, API protection (rate limiting, schema/behavior enforcement), and Layer‑7 DDoS defenses
Implement and refine rate limiting for web and API endpoints to ensure resiliency, performance, and abuse prevention
Review and correlate security logs and telemetry across edge providers and on‑prem platforms; distinguish real attacks from false positives
Apply industry best practices in availability, integrity, confidentiality, risk management, threat modeling, monitoring, incident response, access management, and business continuity
Collaborate across security engineering, networking, application owners, and operations to resolve issues and achieve shared goals
Support application onboarding/offboarding to the SaaS providers, using knowledge of DNS, WAF, L7 DDoS, bot policies, and GLB/routing considerations

Qualification

Information Security EngineeringWeb Application FirewallsWAF signaturesHTTP-based web applicationsScripting/automationNetwork conceptsChange managementAgile methodologiesTLSCertificatesData security knowledgeNetwork security architecturesBot mitigation strategiesAPI securityInformation Security frameworksWeb security signaturesCross-site scripting protectionOSI stack explanationCommunication skills

Required

5+ years of Information Security Engineering experience, or equivalent (work experience, training, military, education)
2+ years in-depth knowledge and troubleshooting of HTTP-based web applications
5+ years implementing WAF signatures or virtual patches
5+ years hands-on with enterprise scale Web Application Firewalls
2+ years intermediate to advanced scripting/automation (e.g., Bash, Ansible playbook/role development, PowerShell, Python)
2+ years advanced understanding of network concepts (DNS, firewalls, load balancing)
1+ year change and incident management in medium/large enterprise environments
1+ year with Agile methodologies (Scrum or Kanban)
1+ year basic understanding of TLS, certificates, and mTLS authentication

Preferred

Strong verbal, written, and interpersonal communication skills
Deep WAF concepts knowledge and hands‑on policy engineering
Demonstrated experience tuning false positives/false negatives, including custom rules and exceptions
Practical knowledge of data and perimeter security (firewalls, IDS/IPS) and network protocols
Understanding of network security architectures and standards development
Familiarity with web security signatures, web firewall policy design, and global load balancing strategies
Experience with bot mitigation strategies and API security (e.g., endpoint discovery, authentication/authorization patterns, schema validation, rate limiting)
Experience with application onboarding/offboarding to edge/WAF protection stacks
Exposure to Information Security frameworks/standards (FFIEC, NIST, ISO)
Hands‑on Saas/web application security configuration at scale
Experience protecting large consumer web properties (e.g., high‑traffic, high‑visibility domains)
Applied protections against cross‑site scripting, injection, and common OWASP Top 10 issues
Comfort explaining OSI stack layers, especially the difference between network‑layer DDoS (L3/L4) and application‑layer DDoS (L7)

Company

Wells Fargo

twittertwittertwitter
Glassdoor3.6
company-logo
Wells Fargo & Company is a financial services firm that provides banking, insurance, investments, and mortgage services.
dateFounded in 1852
location
San Francisco, California, USA
people-size10001+ employees
web-link
http://www.wellsfargo.com

Funding

Current Stage
Public Company
Total Funding
unknown
1978-10-06IPO

Leadership Team

leader-logo
Charlie Scharf
CEO
leader-logo
Fernando Rivas
CEO of Corporate & Investment Banking
linkedin

Recent News

PYMNTS.com
Bilt Users Get Surprise Wells Fargo Cards as Partnership Ends
2026-02-09
Bloomberg.com
Bilt Customers Are Getting Wells Fargo Cards They Didn’t Ask For
2026-02-07
pv magazine USA
U.S. energy storage developers secure over $2 billion in latest capital infusion
2026-02-06
Company data provided by crunchbase