Senior Application Security Engineer

About The Position

Requirements

• 5 to 7+ years of experience in application security, software security engineering, or related roles
• Hands-on experience conducting security assessments including code review, penetration testing, or vulnerability analysis
• Demonstrated ability to threat model applications and identify security design flaws
• Proficiency with application security testing tools and methodologies
• Strong understanding of at least one programming language and web application architecture
• Experience working directly with development teams to remediate security findings
• Practical experience conducting security assessments including SAST/DAST analysis, manual code review, and penetration testing
• Proficiency with application security testing tools (Burp Suite, OWASP ZAP, or similar)
• Solid understanding of at least two programming languages (Python, Java, C#, JavaScript, Go) sufficient to review code for security issues
• Experience with API security testing (REST, GraphQL, SOAP) and authentication/authorization mechanisms (OAuth, SAML, JWT)
• Working knowledge of CI/CD security integration and tools like GitHub Advanced Security, SonarQube, or Snyk Security Knowledge
• Strong grasp of threat modeling methodologies (STRIDE preferred) and risk assessment
• Understanding of secure architecture principles and security design patterns
• Familiarity with cloud security fundamentals (AWS, Azure, or GCP)
• Knowledge of vulnerability scoring systems (CVSS, EPSS) and prioritization frameworks
• Awareness of compliance requirements (SOC 2, GDPR, HIPAA) and how they apply to application security
• Ability to communicate complex security issues clearly to both technical and non-technical audiences
• Skill in building trust and partnerships with development teams rather than acting as a gatekeeper
• Comfort working in a fast-paced agile environment where security must enable delivery
• Experience mentoring or enabling developers on security topics
• Track record of translating security findings into practical, actionable remediation guidance

Nice To Haves

• GIAC Web Application Penetration Tester (GWAPT), Offensive Security Certified Professional (OSCP), or Certified Application Security Engineer (CASE) certification
• Experience with GitHub Advanced Security (GHAS) including CodeQL, Dependabot, and secret scanning
• Background in software development or DevOps with a transition to security
• Familiarity with OWASP SAMM, BSIMM, or similar secure development maturity frameworks
• Experience operating a Security Champions program or developer security enablement initiative
• Prior work in regulated industries (healthcare, financial services, government)
• Contributions to open source security tools or vulnerability research
• Strong understanding of common web application vulnerabilities (OWASP Top 10, SANS Top 25) and secure coding practices

Responsibilities

• Conduct security architecture reviews and threat modeling sessions with development teams using STRIDE methodology
• Perform application security assessments across 20+ security verification service offerings including SAST/DAST analysis, manual code review, API security testing, authentication/authorization testing, and vulnerability validation
• Execute hands-on security testing of web applications, APIs, mobile applications, and cloud-native services
• Analyze and validate security findings from automated tools (GitHub Advanced Security, Synack, Tenable, AquaSec) and provide actionable remediation guidance
• Support penetration testing engagements and coordinate with third-party security assessment vendors (Synack ST+)
• Build and maintain security verification tooling, scripts, and automation to improve assessment efficiency and coverage
• Develop custom security testing scripts and proof-of-concept exploits to validate vulnerabilities
• Contribute to security tooling integration within CI/CD pipelines (GitHub Actions, GHAS CodeQL, secret scanning)
• Create reusable security patterns, code snippets, and reference implementations for common security controls
• Partner with Security Champions across 36 development teams to provide security design guidance and implementation support
• Deliver security training and enablement sessions on secure coding practices, common vulnerabilities, and threat modeling
• Provide just-in-time security guidance during sprint planning, design reviews, and code reviews
• Translate security findings into developer-friendly remediation guidance with code examples and implementation patterns
• Support Security Champions with security questions, design reviews, and knowledge sharing
• Contribute to SSDLC policy development and security requirements documentation grounded in OWASP SAMM practices
• Define and refine security verification service offerings based on application risk profiles
• Support the standardization of security assessment intake, execution, and reporting processes via ServiceNow
• Maintain security verification documentation including testing methodologies, checklists, and runbooks
• Track and report on security assessment metrics including coverage, finding severity distribution, and remediation timelines

Benefits

• Health / Dental / Vision Benefits Day-One
• 5% matching 401k
• financial support
• pet insurance
• mental health resources
• volunteer paid days off
• employee stock program
• foundation donation matching