Application Security Engineer

About The Position

Requirements

• 7+ years of experience in software engineering and/or application security, with meaningful ownership of an AppSec program or function.
• Strong understanding of modern web application security, common attack patterns, and secure design principles.
• Experience building security into CI/CD and developer workflows, including SAST, DAST, SCA, Secrets scanning, Container and/or IaC scanning.
• Hands-on experience working with multiple stacks such as Node/Next.js, C#/.NET, Python, and PHP.
• Practical cloud and platform understanding (Centerfield is primarily AWS with some GCP), including how modern apps run on Kubernetes/EKS and ECS/Fargate.
• Strong communication skills and ability to explain security tradeoffs to both technical and non-technical audiences.
• Proven ability to lead cross-team initiatives, set standards, and drive adoption in environments with varied tooling and legacy constraints.
• Familiarity with compliance-driven environments and ability to translate requirements into engineering-friendly controls (SOC 2, HIPAA and/or PCI-DSS).

Nice To Haves

• Experience with cloud security tooling and posture management tools: Jenkins. GitHub, Mend.io, SonarQube, Wiz.io.
• Experience building Security Champions programs and scalable developer education.
• Experience with threat modeling methodologies and running design review programs.
• Familiarity with bug bounty, responsible disclosure, and coordinated vulnerability disclosure processes.
• Experience supporting regulated production environments with clear separation of scopes (e.g., PCI vs. non-PCI).
• Relevant certifications (e.g., CSSLP, GWAPT, GWEB, OSWE, AWS Security Specialty) or equivalent demonstrated expertise.

Responsibilities

• Build and run the AppSec program: Define standards, workflows, and SLAs for identifying, prioritizing, and remediating application vulnerabilities.
• Embed security into the SDLC: Integrate security checks into build and deployment pipelines (e.g., GitHub/Jenkins) and make results actionable for engineering teams.
• Security testing at scale: Operate and tune AppSec tooling for SAST, DAST, and SCA, and ensure teams can consistently scan code and dependencies.
• Threat modeling & design reviews: Lead threat modeling sessions and architecture reviews for new services and major changes to identify risks early.
• Secure code reviews: Partner with engineering to review high-risk changes and coach teams on secure coding patterns.
• AI security testing: Design and execute security testing for AI infrastructure and workflows, including access controls for AI agents and LLM-focused vulnerability testing (e.g., hallucination and misinformation risks, data leakage and exfiltration, prompt injection, jailbreaks, and toxicity or abuse content generation).
• Vulnerability management: Own the end-to-end lifecycle including intake, triage, prioritization, remediation guidance, verification, and root cause analysis.
• Tooling & automation: Manage and continuously improve AppSec tools and workflows (e.g., Mend.io, SonarQube, and related ecosystem). Use scripting and APIs (Python preferred) to automate repetitive tasks and reporting.
• Developer enablement: Create lightweight training, office hours, and a Security Champions model that scales across teams.
• Cross-functional partnership: Work closely with Software Engineering, DevOps, Security, and Security Operations to align detection, response, and hardening efforts.

Benefits

• Competitive salary + semi-annual bonus
• Unlimited PTO
• Industry-leading medical, dental, and vision plans + generous parental leave
• 401(k) company match plan – fully vested on day 1
• Career growth – we enjoy promoting from within!