Senior Application Security Engineer

About The Position

Requirements

• 5–8+ years in Application Security, Product Security, or Secure Software Development.
• Hands-on experience securing CI/CD pipelines and source repositories (GitHub, GitLab, Jenkins, etc.).
• Knowledge of supply chain security frameworks (SLSA, NIST SSDF).
• Experience with secrets management, artifact signing (Sigstore, Cosign), and build integrity.
• Strong background in WAF tuning, API security, and vulnerability remediation.
• Proficiency in at least one programming language (Python, Java, Go, JavaScript/Node.js).
• Experience with SAST, DAST, SCA, and container scanning tools.
• Cloud security experience (AWS, Azure, or GCP).
• Strong understanding of OWASP Top 10 (Web & API), CWE, and secure coding practices.
• Familiarity with OWASP Top 10 for LLM Application and MITRE ATLAS.

Nice To Haves

• Experience integrating SBOM generation and SCA into CI/CD workflows.
• Knowledge of runtime protection tools (API security platforms, RASP, container EDR).
• Experience with GitOps, IaC scanning (Terraform, CloudFormation), and policy-as-code.
• Background handling software supply chain or dependency poisoning incidents.
• Relevant certifications: OSWE, CSSLP, GPCS, GWEB, GCSA.

Responsibilities

• Integrate security practices throughout the SDLC in partnership with engineering and DevOps teams.
• Promote secure coding standards, tooling, and automation.
• Design, implement, and maintain security controls within CI/CD platforms (GitHub Actions, Jenkins, GitLab, Azure DevOps, etc.).
• Ensure software integrity through code signing, artifact validation, and provenance.
• Automate SAST, DAST, SCA, and container image scanning in the build and release pipelines.
• Automated AI specific vulnerability scanning into CI/CD to catch insecure LLM orchestration patters.
• Identify and remediate misconfigurations and access control gaps in pipeline environments.
• Design, deploy, and tune WAF rules and API security protections.
• Conduct API risk assessments and promote secure API design patterns.
• Perform secure code reviews and support automated security testing coverage across pipelines.
• Triage, prioritize, and track vulnerabilities across source code, CI/CD pipelines, and deployed services.
• Facilitate threat modeling for applications, APIs, and delivery pipelines.
• Perform threat modeling on RAG architecture and autonomous agents.
• Expand security automation around API discovery, dependency scanning, SBOM generation, and secrets detection.
• Mentor engineering teams on secure coding and secure pipeline practices.
• Support the Security Champions program.
• Act as a trusted advisor to product, platform engineering, and DevOps teams, translating technical risks into business impact.
• Partner with SOC/IR teams during software supply chain or pipeline-related security incidents.
• Assess and guide the secure adoption of AI capabilities within enterprise applications—focusing on data security, access controls, model input/output handling, and preventing misuse within internal systems.
• Leverage AI‑powered security tools to identify anomalies, code risks, and pipeline misconfigurations within internal applications and CI/CD systems.

Benefits

• Health & Wellbeing: comprehensive suite of benefits that supports physical, financial and emotional wellbeing.
• Personal & Professional Development: investment in career, specific programs catered to helping reach career goals, whether becoming a knowledge expert or applying skills to another division.
• Unconditional Inclusion: inclusive work environment, valuing varied backgrounds, flexibility to manage work and personal needs.
• Information about employee benefits offered in the US can be found at https://myhperewards.com/main/new-hire-enrollment.html