Application Security Engineer II

About The Position

Requirements

• 3–5+ years of experience in Information Technology, including security tooling
• 3–5+ years of experience as an Application Security Engineer
• 1–3+ years of experience in regulated environments (e.g., financial services, fintech)
• Strong understanding of web application security principles and architecture
• Experience with container technologies and container security
• Proficiency in at least one programming language, with willingness to learn additional languages (e.g., Rust, TypeScript)
• Experience with CI/CD pipelines and source control tools (Git, GitHub)
• Experience evaluating Infrastructure-as-Code (IaC) security across cloud environments
• Familiarity with bug bounty programs (participation or triage)
• Understanding of OWASP Top 10 and application security best practices across web, DevOps, and emerging AI systems
• Strong problem-solving, analytical thinking, and ability to adapt quickly

Nice To Haves

• Experience implementing security controls within DevOps / DevSecOps environments
• Knowledge of application security risks and mitigation strategies
• Familiarity with frameworks and standards such as: NIST 800-53 / CSF 2.0, NIST SSDF (800-218), SOC 2, PCI-DSS, PA-DSS
• Understanding of Content Security Policy (CSP)
• Ability to identify and explain vulnerabilities such as: XSS, CSRF, injection attacks, MITM attacks, Brute-force and credential attacks
• Interest in financial services, digital assets, and custodial security
• Experience working with AI tools and understanding of security considerations for generative AI
• Familiarity with AI-assisted development workflows, agent-based systems, or MCP-based tools
• Willingness to learn and adapt to AI-driven SDLC environments
• Curiosity and a continuous improvement mindset
• Ability to balance security rigor with engineering velocity
• Strong communication skills and ability to influence across teams
• Passion for building scalable, practical security solutions

Responsibilities

• Perform automated and manual vulnerability assessments for APIs and web applications
• Conduct static (SAST), dynamic (DAST), software composition analysis (SCA), and interactive (IAST) testing
• Review findings for exploitability and provide actionable remediation guidance
• Perform manual testing to validate vulnerabilities and ensure secure implementations
• Partner with developers to embed security into the SDLC
• Participate in and help manage the secure code review approval process
• Perform product threat modeling and develop threat-focused validation checks
• Ensure new projects are designed, scoped, and deployed securely
• Implement, manage, and optimize application security tools across the organization
• Support the operational management of AppSec programs and workflows
• Manage cloud security for both internally developed and third-party applications
• Contribute to internal security documentation, playbooks, and best practices
• Support Red Team exercises and external penetration testing engagements
• Assist in triaging and responding to bug bounty submissions
• Perform validation testing to ensure applications meet internal and industry security standards
• Investigate security incidents through research and log analysis
• Contribute to incident response processes, documentation, and continuous improvement
• Build or enhance internal tooling to automate security testing, compliance checks, and evidence collection
• Write scripts and utilities to improve efficiency and scalability
• Evaluate and experiment with new tools to improve application security outcomes
• Serve as a security subject matter expert for engineering and business teams
• Promote a strong, approachable security culture across the organization
• Operate flexibly across multiple responsibilities in a fast-growing environment

Benefits

• Medical, Dental, and Vision insurance
• 401(k)
• Life and disability insurance