Application Security Engineer II

Commerce•Austin, TX

1d•Hybrid

About The Position

Welcome to the Agentic Commerce Era At Commerce, our mission is to empower businesses to innovate, grow, and thrive with our open, AI-driven commerce ecosystem. As the parent company of BigCommerce, Feedonomics, and Makeswift, we connect the tools and systems that power growth, enabling businesses to unlock the full potential of their data, deliver seamless and personalized experiences across every channel, and adapt swiftly to an ever-changing market. Simply said, we help businesses confidently solve complex commerce challenges so they can build smarter, adapt faster, and grow on their own terms. If you want to be part of a team of bold builders, sharp thinkers, and technical trailblazers, working together to shape the future of commerce, this is the place for you. BigCommerce, part of the Commerce brand family, helps merchants increase sales at every stage of their growth. From small startups to mid-market businesses and large enterprises, we provide the leading e-commerce platform. Our customers can then concentrate on what's most important: growing their businesses. We enable our customers to build, innovate, and grow, collectively reshaping the e-commerce industry. As an Application Security Engineer II at BigCommerce, you are a developing application security practitioner who can independently execute security assessments and partner effectively with engineering teams to improve secure development practices. You have moved beyond entry-level execution and are comfortable leading well-scoped security reviews, performing application testing with minimal guidance, and providing actionable remediation advice. You are not yet responsible for broad program ownership or formal mentorship, but you are a dependable contributor who raises the security bar through strong technical execution.

Requirements

Bachelor’s degree in Computer Science, Engineering, MIS, or equivalent experience.
2–4 years of experience in application security-related disciplines (code review, penetration testing, security engineering, DevSecOps).
1–2 years of software development experience in PHP, Ruby, Java, Scala, or similar.
Strong understanding of web application security concepts, vulnerabilities, exploits, and prevention techniques.
Experience performing independent code reviews and security assessments.
Hands-on experience with SAST/SCA tools such as Checkmarx and Snyk.
Ability to explain security issues clearly and effectively to developers.
Strong written and verbal communication skills.
Experience working with globally distributed teams

Nice To Haves

Security certification (CISSP, OSCP, GISP, or actively pursuing).
Experience contributing to internal security tooling or automation.
Familiarity with cloud environments (AWS, GCP).
Experience participating in bug bounty programs.
Exposure to DevSecOps and CI/CD integration practices.

Responsibilities

Perform regular and ongoing penetration testing of BigCommerce’s evolving applications and services.
Conduct security code audits and participate in architectural and design reviews.
Review project technical designs and follow through implementation to ensure secure outcomes.
Triage and validate findings from SAST, DAST, and SCA tools (e.g., Checkmarx, Snyk).
Work directly with engineering teams to provide clear, practical remediation guidance.
Respond to application-related security incidents, providing technical analysis and support.
Assist in maintaining and improving internal security tooling and automation.
Utilize vulnerability and telemetry data to identify trends and support risk prioritization.
Contribute to improving AppSec documentation, standards, and secure coding guidance.
Advocate secure development practices across the BigCommerce ecosystem.
Conduct research to identify new attack vectors relevant to our platform.