Security Engineer III - Application Security

BOK Financial•Tulsa, OK

3d•Onsite

About The Position

Our team operates at the forefront of innovation, vigilance, and strategic risk management. We combine deep industry expertise with advanced analytics and a disciplined approach to proactively identify and mitigate emerging threats across the organization. Through continuous monitoring, comprehensive assessments, and strong cross-functional partnerships, we deliver tailored security solutions that strengthen BOKF’s resilience. We are passionate about advancing security maturity across the enterprise—collaborating closely with teams to provide actionable insights, champion best practices, and enhance controls. Our work empowers BOKF to pursue its strategic goals with confidence in an evolving threat landscape. As an Application Security Engineer III, you will play a key leadership role in advancing BOKF’s application security posture. You will drive the implementation and optimization of security capabilities across the Application Protection portfolio, including WAF, API security, DAST, SAST, IaC, SCA, and SIEM/SOAR. In this role, you will lead threat modeling and vulnerability assessments for internally developed applications and APIs, design and implement custom security policies and controls, and guide the response to application-layer incidents. You will serve as a subject matter expert, mentoring junior engineers while contributing to the design of advanced detection and prevention strategies. You will stay ahead of evolving threats—including OWASP Top 10 risks, API vulnerabilities, and software supply-chain attacks—and apply that knowledge to strengthen defenses. The role also includes performing forensic and root cause analysis, partnering with risk, legal, and compliance teams to support regulatory requirements, and developing custom code to enhance application security capabilities. As BOKF embraces AI-enabled development and security tooling, you will leverage approved AI capabilities to accelerate workflows while ensuring accuracy, safeguarding sensitive data, and maintaining strong governance. You will also assess and mitigate risks associated with AI/LLM-enabled applications and third-party services, including prompt injection, data leakage, and insecure integrations, while helping implement effective monitoring and controls.

Requirements

Bachelor’s degree in Information Security, Computer Science, or a related field, along with 5+ years of experience in Cyber Security or a related technical discipline; alternatively, 7+ years of relevant experience may be considered in lieu of a degree.
Advanced expertise in configuring and optimizing application security tools (WAF, API security, DAST, SAST, IaC, SCA, SIEM/SOAR) to deliver effective and scalable protection.
Strong understanding of application threat intelligence and the ability to identify and mitigate both known and emerging attack vectors.
Proven experience leading application security incident response, including triage, containment, and root cause analysis.
Demonstrated ability to lead cross-functional initiatives involving development, DevOps, and risk teams.
Excellent analytical and problem-solving skills, with a structured approach to complex challenges.
Advanced scripting capabilities (e.g., Python, Bash, Go, PowerShell) to automate security processes and workflows.
Experience securing CI/CD pipelines and cloud-native applications across AWS, Azure, and GCP.
Strong knowledge of cryptography, TLS, secrets management (e.g., HashiCorp Vault), and key lifecycle management.
Ability to clearly communicate complex security concepts to both technical and non-technical stakeholders.
Experience leveraging data analysis tools (e.g., Splunk, Elasticsearch, Excel) to drive insights and metrics.
Deep understanding of application risk management principles and mitigation strategies.
Familiarity with AI/LLM security risks (e.g., prompt injection, data leakage, supply-chain risk) and practical implementation of controls.
Ability to use AI-assisted tools responsibly to enhance productivity while validating results and protecting sensitive information.

Nice To Haves

Master’s degree
CISSP
Equivalent certifications

Responsibilities

Lead the design and implementation of advanced application security architectures and controls across the SDLC, including secure CI/CD guardrails.
Conduct threat modeling and in-depth vulnerability assessments for applications and APIs, partnering with stakeholders to prioritize remediation.
Develop, tune, and maintain application security controls, including WAF/API policies and DAST/SAST/SCA/IaC scanning capabilities.
Oversee application-layer incident response, including triage, containment, and forensic/root cause analysis.
Evaluate and define security controls for AI/LLM-enabled features and integrations, including risks related to data protection, model trust, and misuse scenarios.
Leverage AI-enabled security tools to enhance detection, analysis, and response while validating outputs and protecting sensitive data.
Provide technical leadership by mentoring team members and leading initiatives through successful delivery with minimal oversight.
Perform other duties as assigned.