10873 - Application Security Engineer II - Cyber Defense

About The Position

Requirements

• Experience: 5+ years of experience in Application Security, Product Security, or Secure Software Engineering with hands-on experience defining and implementing Secure SDLC requirements.
• Experience integrating SAST, DAST, and open-source vulnerability scanning into CI/CD pipelines
• Education : Bachelor’s degree in Cybersecurity, Information Technology, Computer science or a related field.
• Technical Expertise : Practical experience securing containerized applications and managing hardened container images.
• Strong understanding of common application vulnerabilities (e.g., OWASP Top 10), modern CI/CD workflows and DevOps practices and secure coding and build processes.
• Strong troubleshooting and collaboration skills.
• Language Skills : Excellent stakeholder management and communication skills.
• Proficient in English for effective communication and coordination.

Nice To Haves

• Experience : Hands on experience with industry leading Application Security tools for SAST, DAST and Opensource scanning.
• Experience with container platforms and registries (e.g., Docker, Kubernetes) and working in cloud-native application environments.
• Working knowledge of application threat modeling techniques is a plus.
• Education and Certifications : Masters degree in Cybersecurity, Information Technology, Computer Science or a related discipline is preferred.
• Industry-recognized credentials such as CISSP, CISM, or Application Security specific certifications (CSSLP, GWAPT, etc) are highly desirable.
• Language Skills : Bi-lingual in English and Korean language proficiency is preferred to support global coordination and communication.

Responsibilities

• Secure SDLC Requirements & Standards Define, document, and maintain Secure SDLC policies, standards, and procedures covering:
• Secure design and coding expectations
• Security testing requirements
• Build, release, and deployment security controls
• Partner with Engineering, Platform, and AppDev teams to ensure Secure SDLC requirements are:
• Practical and scalable
• Integrated into existing development workflows
• Clearly communicated and understood
• Utilizing the standardized Risk Operation processes, support governance activities, including reviews, exceptions, and continuous improvement of SDLC security requirements.
• Container Security & Hardened Images Develop, manage, and maintain a hardened cloud container image repository for application workloads.
• Define baseline security requirements for container images, including:
• Base image selection and hardening
• Patch and dependency management
• Runtime security considerations
• Partner with platform and application teams to drive adoption of approved images and patterns.
• Ensure container images are scanned, updated, and versioned in alignment with security standards.
• CI/CD Security Tooling & Integration Define and implement automated security testing within CI/CD pipelines, including:
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Open-source and dependency vulnerability scanning
• Tune tools and rules to balance coverage, accuracy, and developer experience.
• Ensure security testing is integrated early in the pipeline to enable remediation prior to final build and deployment.
• Vulnerability Management & Remediation Partner with engineering and application teams to ensure findings from SAST, DAST, and open-source scans are incorporated into the Risk Operation function and:
• Clearly triaged and prioritized
• Assigned appropriate ownership
• Remediated within agreed SLAs and timelines
• Track remediation progress and escalate systemic or repeated issues.
• Validate remediation and support secure release decisions.
• Collaboration & Enablement Act as a trusted security partner to development and other relevant teams.
• Provide guidance on secure coding practices, vulnerability remediation, and threat patterns.
• Support application security reviews, threat modeling, and design discussions as needed.
• Contribute to continuous improvement of application security tooling, processes, and metrics.