Senior Application Security Engineer

Idexx•Westbrook, ID

13d•$120,000 - $150,000•Hybrid

About The Position

Our cybersecurity and information security teams at IDEXX contribute to a more resilient, adaptable, and security-aware enterprise prepared to navigate today’s evolving threat landscape. We have complex, multi-dimensional programs across the organization that support all the technology needed to deliver products and solutions to customers - enabling them to focus on delivering high quality patient care. IDEXX is seeking a Senior Application Security Engineer to join our Product & Application Security team protecting applications across development teams. This role combines hands-on security testing with strategic partnership - you will conduct security assessments, perform threat modeling, and work directly with developers to build security into products from the start. You will support security activities ranging from SAST/DAST analysis to API security testing, collaborate with our Security Champions to scale secure development practices, and contribute to the maturation of our Secure Software Development Lifecycle (SSDLC). This position reports to the Senior Manager of Product & Application Security and operates within a team that prioritizes partnership over enforcement, using OWASP SAMM as our operational framework.

Requirements

4-6 years of hands-on experience in application security with demonstrable technical skills
Strong grasp of threat modeling methodologies (STRIDE preferred) and risk assessment
Strong understanding of common web application vulnerabilities (OWASP Top 10, SANS Top 25) and secure coding practices
Practical experience conducting security assessments including SAST/DAST analysis, manual code review, and penetration testing
Proficiency with application security testing tools
Solid understanding of at least two programming languages sufficient to review code for security issues
Experience with API security testing (REST, GraphQL, SOAP) and authentication/authorization mechanisms (OAuth, SAML, JWT)
Working knowledge of CI/CD security integration and tools like GitHub Advanced Security, SonarQube, or Snyk
Understanding of secure architecture principles and security design patterns
Familiarity with cloud security fundamentals (AWS, Azure, or GCP)
Knowledge of vulnerability scoring systems (CVSS, EPSS) and prioritization frameworks
Awareness of compliance requirements (SOC 2, GDPR, HIPAA , CRA ) and how they apply to application security
Ability to communicate complex security issues clearly to both technical and non-technical audiences
Skill in building trust and partnerships with development teams rather than acting as a gatekeeper
Comfort working in a fast-paced agile environment where security must enable delivery
Experience mentoring or enabling developers on security topics
Track record of translating security findings into practical, actionable remediation guidance

Nice To Haves

GIAC Web Application Penetration Tester (GWAPT), Offensive Security Certified Professional (OSCP), or Certified Application Security Engineer (CASE) certification
Background in software development or DevOps with a transition to security
Familiarity with OWASP SAMM, BSIMM, or similar secure development maturity frameworks
Experience contributing to a Security Champions program or developer security enablement initiative
Prior work in regulated industries (healthcare, financial services, government)
Contributions to open-source security tools or vulnerability research

Responsibilities

Conduct security architecture reviews and threat modeling sessions with development teams using STRIDE methodology
Perform application security assessments across our security verification service offerings including SAST/DAST analysis, manual code review, API security testing, authentication/authorization testing, and vulnerability validation
Execute hands-on security testing of applications, APIs , mobile applications, agentic solutions, and cloud-native services
Analyze and validate security findings from automated security tools and provide actionable remediation guidance
Build and maintain security verification tooling, scripts, and automation to improve assessment efficiency and coverage
Develop custom security testing scripts and proof-of-concept exploits to validate vulnerabilities
Contribute to security tooling integration within CI/CD pipelines
Create reusable security patterns, code snippets, and reference implementations for common security controls
Contribute to security training and enablement sessions on secure coding practices, common vulnerabilities, and threat modeling
Provide just-in-time security guidance during sprint planning, design reviews, and code reviews as requested
Translate security findings into developer-friendly remediation guidance with code examples and implementation patterns
Contribute to SSDLC policy development and security requirements documentation grounded in OWASP SAMM practices
Guide the evolution of the SSDLC to address emerging risks and controls introduced by AI ‑ assisted development
Support the standardization of security assessment intake, execution, and reporting processes via ServiceNow
Maintain security verification documentation including testing methodologies, checklists, and runbooks
Track and report on security assessment metrics including coverage, finding severity distribution, and remediation timelines