Senior Application Security Specialist

EcoVadis

1d•Hybrid

About The Position

Role Overview As an Application Security Specialist, you will play a critical role in ensuring that our software products (including web and mobile applications) are designed, built, and deployed with security as a core principle. You will bridge the gap between Security and Development, acting as a subject matter expert who empowers engineering teams to deliver high-quality, secure, and robust code. In this role, you will specifically focus on the intersection of Application Security and Artificial Intelligence. Your mission is to integrate security into the entire Software Development Life Cycle (SDLC) while addressing the unique challenges of AI-driven applications. Additionally, you will be responsible for conducting and coordinating penetration testing activities and performing high-level monitoring of application resilience.

Requirements

Experience: 3+ years of professional experience in Application Security, Penetration Testing, or Secure Software Development.
Cloud & SaaS Knowledge: Practical experience with Azure cloud solutions and securing SaaS platforms.
AI Security Knowledge: Familiarity with the OWASP Top 10 for LLM Applications and common risks associated with Generative AI and Machine Learning models.
Technical Knowledge: Understanding of common web and mobile application vulnerabilities (e.g., OWASP Top 10, SANS Top 25) and how to remediate them using industry-standard methodologies (e.g., OWASP WSTG).
Tooling: Hands-on experience with application security tools.
DevSecOps: Experience integrating security checks into CI/CD pipelines (e.g., Azure DevOps).
Education: Bachelor’s or Master’s degree in Computer Science, Cyber Security, or a related technical field.
Communication: Excellent English communication skills to explain complex security, AI, and pentesting risks to various stakeholders.
Communication: Excellent communication, facilitation, and negotiation skills, with the ability to explain complex security, AI, and pentesting risks to various stakeholders.
Language: Fluency in English (written and verbal).

Nice To Haves

Certifications: Professional certifications such as OSCP, OSWE, or specific cloud/AI security credentials.
Application Resilience: Basic understanding of application performance monitoring (APM) and observability concepts.
AI/ML Security Frameworks: Experience with frameworks such as MITRE ATLAS or NIST AI RMF.
Contingency Planning: Experience contributing to Business Continuity (BCP) or Disaster Recovery (DR) strategies.
Cloud & Container Security: Experience securing applications in Azure, AWS, or GCP and knowledge of Kubernetes.
Proactivity & Autonomy: High level of proactivity and autonomy in managing security initiatives.
Organization: Strong planning, prioritization, and organizational skills.
Collaborative Spirit: Comfortable challenging assumptions and existing processes while remaining highly collaborative.

Responsibilities

Secure SDLC & AI Integration: Design, implement, and maintain security gates within CI/CD pipelines. Explore and deploy AI-powered security tools to enhance vulnerability detection and automate triage.
Penetration Testing & Assessments: Conduct regular internal penetration tests on web, mobile, and AI-based applications. Also, coordinate with external security firms for third-party audits and manage the end-to-end remediation process.
Securing AI/ML Solutions: Conduct security reviews and threat modeling specifically for AI-driven features, addressing risks such as Prompt Injection, Training Data Poisoning, and Insecure Output Handling.
Threat Modeling: Lead threat modeling sessions with architects and developers to identify potential attack vectors in traditional applications and LLM-based architectures.
Vulnerability Management: Perform regular security assessments, triage findings from automated tools and pentests, and coordinate with engineering teams to prioritize remediation.
AI Security Governance: Establish guidelines and best practices for the secure use of AI coding assistants and third-party AI APIs within the organization.
Security Code Reviews: Conduct manual and automated deep-dive code reviews, ensuring that code (including AI-generated segments) meets our security standards.
Consultancy & Training: Act as a security consultant for product teams, providing guidance on OWASP Top 10, OWASP Top 10 for LLM, and secure coding standards.
Application Resilience Support: Periodically monitor high-level availability and performance dashboards to maintain oversight of system stability and support long-term capacity planning.