Sr. Application Security Engineer

About The Position

Requirements

• 6+ years of application security, secure development, or software engineering experience (or equivalent real-world experience).
• Strong knowledge of modern application architectures: microservices, REST/GQL APIs, React/Node/Java/Kotlin/Go, containerized workloads, Kubernetes.
• Hands-on experience with SAST, DAST, SCA, secrets scanning, container scanning, and CI/CD integration.
• Expertise in OWASP Top 10, ASVS, SANS CWE Top 25, and secure coding principles.
• Ability to perform threat modeling, code review, and architecture analysis.
• Experience partnering with Engineering to drive remediation and long-term maturity improvements.

Nice To Haves

• Experience in SaaS, multi-tenant systems, or high-scale cloud environments (AWS preferred).
• Familiarity with SOC 2, GovRAMP, & TX-RAMP.
• Prior background in DevOps, software engineering, or cloud security.

Responsibilities

• Embed security into CI/CD pipelines through scalable guardrails, automated security checks, and continuous improvements to developer workflows.
• Drive adoption of secure coding best practices across engineering teams through tooling, guidance, and direct partnership.
• Lead threat modeling exercises for high-risk features and new architecture patterns.
• Own, maintain, and tune AppSec tooling including SAST, DAST, SCA, secrets scanning, container scanning, and dependency management.
• Partner with DevOps to ensure automated testing integrates into build, test, and deploy workflows with high signal-to-noise and minimal developer friction.
• Evaluate emerging technologies and automation opportunities to strengthen AppSec capabilities.
• Lead triage, prioritization, and root-cause analysis for application vulnerabilities discovered through internal testing, bug bounty programs, pentests, and external researchers.
• Ensure timely remediation through strong cross-functional partnership, driving the right balance of risk, velocity, and operational maturity.
• Support security reviews, pen test scoping, and remediation programs tied to GovRAMP, SOC 2, and customer requirements.
• Conduct manual reviews of critical code paths, APIs, backend services, and cloud components to identify security defects that automation may miss.
• Advise on secure design patterns for microservices, cloud-native architectures, authentication/authorization mechanisms, secrets management, and data protection.
• Collaborate with Security Operations during active incidents involving application or product vulnerabilities.
• Perform deep-dive analysis of new vulnerabilities, exploit techniques, frameworks, and supply-chain risks affecting our tech stack.
• Mentor engineering teams on secure design, secure coding, and modern AppSec patterns.
• Lead internal workshops, brown bags, and knowledge-sharing sessions.
• Contribute to internal AppSec documentation, policies, and secure development standards.