Application Security Engineer

About The Position

Requirements

• Ability to obtain a Security Clearance
• 2+ years of software development experience in Java.
• Hands-on experience reviewing or securing applications built with Java Spring Boot, Angular, REST APIs, SQL databases, and PostgreSQL.
• Working knowledge of authentication and authorization technologies, including JWT, OAuth, identity providers, Entra, Keycloak, and token-based access models.
• Experience intercepting, decrypting, manipulating, and analyzing web or application network traffic.
• Demonstrated ability to find, validate, and explain vulnerabilities in a real codebase.
• Familiarity with CI/CD tools such as GitLab CI, Azure DevOps, or GitHub Actions.
• Experience with containerized environments and orchestration tools such as Kubernetes.
• Exposure to infrastructure-as-code and container scanning tools such as Trivy, Kubesec, or similar technologies.
• Understanding of cloud hosting environments such as Azure or AWS.
• Familiarity with secrets management tools such as GitLab Secrets Manager, AWS KMS, Azure Key Vault, or Ansible Vault.
• Experience with automated application security testing, including SAST, DAST, and SCA.
• Familiarity with runtime security and monitoring tools for containers, such as Falco, NeuVector, or similar platforms.
• Hands-on web security testing experience using Burp Suite or comparable tooling.
• Strong written communication skills, including the ability to write reports for both technical and non-technical audiences.

Nice To Haves

• OSWE, OSCP, and/or GXPN certifications are highly desirable.

Responsibilities

• Audit software releases across major and minor cycles to intercept and remediate security flaws before deployment.
• Analyze source code to identify, isolate, validate, and contextualize vulnerabilities in complex application codebases.
• Build safe proof-of-concept examples to demonstrate exploitation paths and verify the real-world impact of discovered risks.
• Contextualize findings based on application business logic, user workflows, data sensitivity, and production use cases.
• Author clear remediation guidance and partner with development teams to implement effective patches, controls, or architectural mitigations.
• Intercept and analyze application-layer network traffic using tools such as Burp Suite or similar intercepting proxies to inspect encrypted payloads, API calls, and authentication flows.
• Assess and help secure core architectures across REST APIs, SQL databases, PostgreSQL, JWT/OAuth, identity providers, and token-based authentication mechanisms.
• Perform threat modeling for web applications based on use cases, data flows, user roles, trust boundaries, and production environments.
• Improve DevSecOps pipelines by integrating, tuning, and operationalizing SAST, DAST, SCA, IaC scanning, secrets detection, and container security tooling.
• Support container runtime security efforts using monitoring and runtime protection tools such as Falco, NeuVector, or similar technologies.
• Create standardized security reporting that translates technical findings into clear risk narratives for both engineering teams and executive stakeholders.

Benefits

• Flexible PTO + holidays
• Generous 401k match benefit up to 10%, with an automatic 3% safe harbor contribution and additional matching based on employee contributions.
• Medical (HSA & PPO Plans Available), dental, vision, disability, and life insurance
• Employer Contribution to Health Savings Account (HSA)
• Learning & Development opportunities
• Professional coaching services
• Get the technology you want to do your job
• Free daily snacks & drinks