Security Lead, Amersfoort

Introduction ANVA's new multi-tenant, cloud-native SaaS platform lays the foundation for the future of insurance. As Security Lead, you own the security posture of a platform that handles data for millions of Dutch citizens. Not by writing policies from the sideline, but by shaping how software is designed, built, and delivered securely. You bring deep application security and security architecture expertise, and you know how to leverage AI to make security faster and more proactive. You report directly to the CTO and will build out the Security team.

Your Impact You make our software secure by design, from architecture decisions down to the code that ships. Your strength lies in understanding how applications break: how data flows through complex systems, where trust boundaries exist, and what happens when they're violated. You bring a security architect's lens to a product engineering organization, ensuring that security is embedded in how we think, design, and build.

What You'll Do Conduct security architecture reviews and secure design assessments for new features, services, and platform capabilities. Define and maintain security design patterns, reference architectures, and guardrails for a multi-tenant SaaS environment. Assess trust boundaries, data flows, and authorization models across our platform.Lead and mentor teams in threat modeling using methodologies such as STRIDE, PASTA, or attack trees to identify and mitigate risks early in the design phase. Identify and articulate technical risks, translating them into concrete, prioritized remediation actions. Champion secure coding practices across engineering teams and elevate the quality of security-focused code reviews.Drive the maturity of security testing (SAST, DAST, SCA, secrets detection) integrated into the development workflow, not bolted on afterward. Be the go-to expert on application-level vulnerability classes: injection, broken access control, insecure deserialization, API security flaws, and beyond.Define and own ANVA's security strategy, translating it into a clear, actionable roadmap with measurable outcomes. Translate compliance and regulatory requirements into technical measures that teams can actually implement. Raise security awareness and build a culture where security is a natural part of engineering quality, not a gate at the end.Deploy AI as a catalyst for security innovation and proactive risk detection.

Your Milestones Establish a clear, actionable security roadmap that is understood and embraced across engineering. Make security architecture and secure design reviews a standard part of how we build. Embed threat modeling, secure coding practices, and application security testing structurally into our development lifecycle.Demonstrably raise the security maturity of our SDLC and delivery processes. Build a security-aware engineering culture where teams apply security-by-design as second nature. Play a key role in strengthening the security posture of ANVA's multi-tenant SaaS platform.

Who are you? You are an experienced application security professional or security architect who bridges the gap between engineering teams and security objectives. You don't just find vulnerabilities. You prevent them by influencing how software is designed and built. Significant experience in application security and/or security architecture, working closely with software development and architecture teams.Proven ability to conduct security architecture reviews, secure design assessments, and threat modeling (STRIDE, PASTA, attack trees, or similar). Deep understanding of application-level vulnerabilities, secure coding principles, and common attack patterns. Experience embedding security into agile development processes, including security testing, developer enablement, and shift-left practices.Strong grasp of authentication, authorization, API security, and data protection patterns in modern web and SaaS architectures. Familiarity with security testing tools and practices: SAST, DAST, SCA, and their integration into CI/CD pipelines. Ability to translate compliance requirements (e.g., SOC 2, ISO 27001) into practical, implementable technical measures.

Nice to have: Experience with cloud-native security patterns (AWS or Azure) in a multi-tenant SaaS context. Knowledge of the Dutch insurance industry. Experience building or scaling a security function within a product engineering organization.