Sr. Application Security Engineer

About The Position

Requirements

• Strong knowledge of application security principles, secure design, secure coding, web application security, API security, cloud-native application security, and secure SDLC practices.
• Strong understanding of common application and API vulnerabilities, including OWASP Top 10, OWASP API Security Top 10, authentication bypass, authorization flaws, injection, insecure deserialization, SSRF, business logic flaws, secrets exposure, and supply chain risks.
• Experience performing security architecture reviews, threat modeling, design reviews, and risk assessments for modern software systems.
• Ability to understand complex application architectures and document them from a security perspective, including data flows, trust boundaries, identity flows, external integrations, and critical control points.
• Working knowledge of AI-enabled application and AI agent security concepts, including agent components, tool use, memory, prompt handling, prompt tracing, guardrails, authentication, authorization, runtime monitoring, abuse-case testing, and data protection.
• Familiarity with AI security frameworks, patterns, or risk areas such as prompt injection, indirect prompt injection, tool misuse, excessive agency, data leakage, insecure plugin/tool access, model output handling, and agentic workflow abuse.
• Experience evaluating or securing AI code-assist tools, including secure configuration, acceptable-use guardrails, source code exposure risks, generated-code review practices, and developer workflow controls.
• Experience integrating security testing and security gates into CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, secrets scanning, DAST, API testing, and AI runtime scanning.
• Strong understanding of identity and access management concepts, including IAM, PAM, JIT access, least privilege, RBAC/ABAC, federation, SSO, MFA, privileged workflows, service identities, API tokens, and access lifecycle management.
• Experience with cloud security concepts and services across AWS and/or Azure, particularly as they relate to application workloads, identity, networking, logging, encryption, and deployment pipelines.
• Familiarity with WAF, API gateway, rate limiting, bot protection, DLP, logging/monitoring, SIEM integrations, and application-layer detective and preventive controls.
• Ability to assess vulnerabilities based on exploitability, compensating controls, business impact, and remediation complexity rather than scanner severity alone.
• Ability to influence engineering teams and product stakeholders through practical, risk-based guidance.
• Strong written and verbal communication skills, including the ability to explain security risk, tradeoffs, and recommended actions to both technical and non-technical audiences.
• Ability to create repeatable standards, patterns, playbooks, and architecture guidance that scale across multiple teams and products.
• Strong collaboration skills with engineering, architecture, DevOps, cloud, compliance, IT, identity, and security operations teams.
• Ability to work independently, manage competing priorities, and operate effectively in a remote or hybrid environment.

Responsibilities

• Partner with product and engineering teams to perform application security reviews, secure architecture reviews, and threat modeling for new and existing applications, services, APIs, integrations, and cloud-native workloads.
• Work with teams to understand application architecture, data flows, trust boundaries, authentication and authorization models, third-party integrations, deployment patterns, and security-relevant design decisions.
• Document application architecture from a security perspective, including key assets, identity flows, privilege boundaries, attack surfaces, sensitive data flows, control gaps, and recommended mitigations.
• Identify and prioritize application security risks across web applications, APIs, microservices, SaaS platforms, cloud services, CI/CD pipelines, infrastructure-as-code, and AI-enabled product capabilities.
• Provide hands-on guidance to engineering teams on secure coding, secure design, vulnerability remediation, secrets management, dependency risk, API security, input validation, authentication, authorization, session management, logging, and error handling.
• Support and improve secure SDLC practices, including security requirements, design review checkpoints, threat modeling, secure code review, automated scanning, developer education, exception management, and remediation tracking.
• Integrate and tune security tooling across CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, DAST, API security testing, secrets detection, and AI runtime security scanning where applicable.
• Help define and operationalize security controls for AI agents and AI-enabled product features, including guardrails, authentication, authorization, prompt tracing, model/tool interaction logging, memory controls, data leakage prevention, abuse-case testing, and runtime monitoring.
• Evaluate the secure use of AI code-assist tools and developer productivity tools, including risks related to data exposure, insecure code generation, hallucinated dependencies, licensing, secrets leakage, provenance, and secure review workflows.
• Collaborate with DevOps and platform teams to embed security controls into CI/CD workflows while minimizing developer friction and false positives.
• Review identity and access management patterns across applications and platforms, including IAM, PAM, JIT access, service accounts, least privilege, privileged workflows, role design, federation, SSO, API access, token handling, and lifecycle governance.
• Partner with cloud and infrastructure teams to review application-level cloud security controls across AWS, Azure, and related platforms.
• Support vulnerability management by validating findings, assessing exploitability and business impact, partnering on remediation plans, and escalating material risks when needed.
• Develop reusable security patterns, reference architectures, standards, guardrails, and implementation guidance for engineering teams.
• Mentor engineers and security team members on application security, cloud security, API security, AI security, threat modeling, and secure SDLC practices.
• Communicate risk clearly to technical and non-technical stakeholders, including engineering leaders, product leaders, compliance partners, and security leadership.
• Contribute to security policy, standards, compliance, and audit readiness efforts related to application security, product security, identity, cloud, AI, and SDLC controls.
• Participate in security incident response, security operations escalation, or on-call processes as required by the business.