Application Security Engineer, Vice President

About The Position

Requirements

• 5+ years of experience in application security, secure development, DAST, and SAST.
• Hands-on experience with DAST tools such as Invicti (Netsparker), AppScan, Burp Suite, Acunetix.
• Experience with SAST tools such as Veracode and Fortify.
• Hands-on experience performing manual testing with Burp Suite.
• Strong knowledge of web security vulnerabilities (OWASP Top 10, SANS Top 25, ITRE ATT&CK).
• Strong software development experience with Java and Python (and/or .NET); comfortable writing production-quality code and scripts for security engineering and automation is required.
• Familiarity with secure software development life cycle (SSDLC) and CI/CD pipelines.
• Scripting skills (Python, Bash, PowerShell) to automate security tasks.
• Collaborate effectively with developers and provide security guidance in a constructive manner.
• Communicate clearly through technical reporting and vulnerability documentation.
• Apply an analytical mindset focused on improving software security and reducing risk exposure.
• Bachelor's degree in Computer Science or a closely-related discipline, or an equivalent combination of formal education and experience.

Nice To Haves

• Relevant security certifications (e.g., OSCP, OSWE, GWAPT, CEH) are highly desirable.
• AI/ML security experience (e.g., securing LLM-enabled applications AI features, testing for prompt injection and data leakage, and evaluating model/dependency supply chain risk) is preferred.
• Experience with cloud security (AWS, Azure, Oracle Cloud) is a plus.

Responsibilities

• Conduct DAST scans using Invicti to identify vulnerabilities in applications.
• Conduct SAST scans using Veracode to identify vulnerabilities in source code.
• Conduct SCA scans using Veracode to identify vulnerabilities in open-source components.
• Compare SAST and DAST results to ensure comprehensive vulnerability coverage.
• Analyze scan results, identify root causes, and collaborate with developers to implement effective remediations.
• Integrate security testing into CI/CD pipelines and DevOps workflows.
• As needed, conduct manual verification and authenticated scans using Burp Suite to reduce false negatives.
• Understand and evaluate vulnerabilities in Java, .NET, Python, and other application codebases.
• Partner with development teams to remediate security flaws and reinforce secure coding practices.
• Provide guidance on OWASP Top 10 and SANS Top 25 vulnerabilities, including how they arise and how to prevent them.
• Write scripts and code in Java and Python as needed for security engineering and automation.
• Ensure required DAST, SAST, and SCA release and periodic scanning occurs and findings are addressed within SLA.
• Review and approve false positives and mitigated-by-design requests for DAST, SAST, and SCA.
• Review and approve SDLC tasks (MME and SbD MUFG processes) for DAST, SAST, and SCA.
• Maintain compliance with NIST, PCI-DSS, FFIEC, SOX, and CIS security frameworks.
• Store and organize security artifacts in archives following standardized documentation practices.
• Work closely with developers, DevOps teams, and application owners to secure software across all stages of the SDLC.
• Automate security scanning processes via scripting and improve reporting capabilities.
• Stay updated on exploitation techniques, security research, and industry best practices.

Benefits

• comprehensive health and wellness benefits
• retirement plans
• educational assistance and training programs
• income replacement for qualified employees with disabilities
• paid maternity and parental bonding leave
• paid vacation, sick days, and holidays