Senior Application Security Engineer - Automation

Fitch Group•Chicago, IL

17d•$150,000 - $170,000•Hybrid

About The Position

Fitch Group is currently seeking a Senior Application Security Engineer - Automation based out of our Chicago office. As a leading, global financial information services provider, Fitch Group delivers vital credit and risk insights, robust data, and dynamic tools to champion more efficient, transparent financial markets. With over 100 years of experience and colleagues in over 30 countries, Fitch Group’s culture of credibility, independence, and transparency is embedded throughout its structure, which includes Fitch Ratings, one of the world’s top three credit ratings agencies, and Fitch Solutions, a leading provider of insights, data and analytics. With dual headquarters in London and New York, Fitch Group is owned by Hearst. Want to learn more about a career in technology and data at Fitch? Visit: https://careers.fitch.group/content/Technology-and-Data/ We are seeking a Senior Engineer to join Fitch’s Application Security program with a strong focus on CI/CD-native security, automation, AI-assisted secure coding and deployment, and secure-by-default developer workflows. This role is ideal for an experienced application security engineer who exhibits AppSec expertise—secure design and architecture, vulnerability identification and remediation—enabling security to scale through automation rather than manual intervention. The ideal candidate will bring hands-on experience integrating security scans into modern CI/CD pipelines (e.g., GitHub Actions, Jenkins, Azure DevOps, or equivalent), building scripts and workflows that automate static, dynamic, and open-source security scanning across the delivery lifecycle, and be capable of generating, reviewing, and securing AI-assisted or generated code. This candidate will need to be able to harness and curate context for an agent that would propose fixes and features for the existing pipeline security stages, as well as to use an agent-first approach to maintaining and testing stages. They will also be comfortable performing secure code reviews to identify common vulnerabilities and will partner with development teams through practical secure-coding training, playbooks, and coaching to improve remediation quality and reduce repeat findings.

Requirements

Demonstrable experience personally delivering SecDevOps outcomes in an in enterprise environment.
Strong experience integrating security tooling into CI/CD pipelines. Ability to provide context for an agent that would propose fixes and features for the existing pipeline security stages, as well as experience or proficiency to use an agent-first approach to maintaining and testing stages.
Experience supporting application infrastructure in multi-cloud environments
Hands-on scripting experience (Python, Bash, PowerShell, YAML) for pipeline automation.
Experience developing controls for a Web Application Firewall (WAF) using different solutions like F5, AWS/Azure WAF, etc.
Deep understanding of secure software development lifecycle principles.
Experience with SAST, DAST, and SCA tools and result interpretation.
Hands-on experience performing source code reviews to identify common vulnerability classes (e.g., injection, XSS, authz/authn flaws, insecure deserialization) and guide remediation.
Experience creating and delivering developer enablement (training, office hours, playbooks) that improves secure coding practices and reduces repeat findings.
Experience with cloud-hosted applications in AWS, Azure, and/or GCP.
Strong collaboration and communication skills.
Experience mentoring engineers, defining AppSec standards, and developing standard operating procedures.

Nice To Haves

Experience working closely with cloud and platform engineering teams.
Exposure to containerized and cloud-native CI/CD pipelines.
Personal and/or professional practice using agentic solutions and building or supporting the infrastructure that runs them.
Experience improving developer experience through reusable pipeline templates.
Familiarity with security frameworks relevant to financial services.
Experience supporting audits through automated security evidence.
Bachelor’s degree in Computer Science, Cybersecurity, or equivalent experience.
Relevant certifications such as CSSLP, GWAPT, or CISSP.

Responsibilities

Lead the integration of application security controls into CI/CD pipelines.
Design, build, and maintain automated security scanning pipelines using GitHub Actions, Jenkins, Azure DevOps, or similar platforms.
Develop scripts and pipeline logic to automate SAST, SCA, and DAST scans.
Partner with cloud engineering, platform, and development teams to implement secure-by-default CI/CD templates.
Improve signal quality by tuning scans and reducing false positives.
Act as a senior technical advisor on secure coding and remediation strategies.
Support the application vulnerability management lifecycle including remediation validation.
Perform secure code reviews to identify vulnerabilities, validate findings, and provide actionable remediation guidance to developers.
Develop and drive secure coding training and AppSec best practices (e.g., OWASP Top 10), including coaching teams on integrating secure-by-design patterns into day-to-day development.
Drive developer adoption of security tooling through training, peering, and developing strong instructional documentation.
Mentor application security engineers and contribute to internal standards.
Collaborate with broader InfoSec teams to align AppSec outcomes with enterprise risk management.