APPLICATION SECURITY ANALYST JOB DESCRIPTION

Find detailed Application Security Analyst job descriptions outlining required experience, certifications, and technical skills.

Application Security Analyst Job Description Template

1. About the Role

Unreviewed code ships. When it does, OWASP Top 10 vulnerabilities reach production, PCI DSS audit findings land on the CISO's desk, and remediation costs dwarf what prevention would have required. The Application Security Analyst steps into that gap - not as a gatekeeper but as the person who embeds security judgment directly into the software development lifecycle, from architecture review through post-deployment scanning. A rare hybrid. This analyst speaks fluently to both developers writing code and Business Risk Leaders reviewing exposure.

2. Position Summary

As the Application Security Analyst, you protect enterprise applications by owning the full chain of vulnerability identification, risk assessment, and developer-facing remediation guidance across web, mobile, and API surfaces. You operate within the information security function, partnering daily with engineering and QA teams while reporting findings upward to security leadership and the CISO.

3. Why Join Us

Career Impact: Mastery of SAST/DAST tooling combined with hands-on penetration testing experience positions analysts to advance toward Application Security Lead or Security Architect roles within three to five years.

Business Impact: Vulnerabilities this analyst catches before release prevent OWASP-class exploits from reaching customers, reducing the organization's breach exposure and audit liability under frameworks such as PCI DSS and ISO 27001.

Growth Opportunity: Demand for professionals who can operate across DevSecOps pipelines, cloud-native environments, and compliance regimes like SOC2 and FedRAMP continues to outpace supply, making this role a strong foundation for senior specialist or consulting paths.

4. Key Responsibilities

  • Conduct static and dynamic application security assessments across web, mobile, API, and thick-client applications to identify exploitable vulnerabilities.
  • Integrate security controls and scanning automation into CI/CD pipelines, ensuring vulnerabilities are detected before code reaches production.
  • Perform threat modeling during architecture and design reviews to surface risks before development begins.
  • Analyze false positives from automated scanning results and deliver prioritized, developer-ready remediation recommendations.
  • Collaborate with software engineering teams to enforce secure coding standards and OWASP Top 10 best practices organization-wide.
  • Monitor and respond to security events across internal platforms, escalating confirmed threats through the incident response process.
  • Develop and deliver security awareness training and documentation for development and QA teams on common vulnerability classes.
  • Review and report vulnerability status, trends, and risk levels to security leadership and business stakeholders on a regular cadence.

5. Required Qualifications

  • Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or equivalent work experience.
  • 3 or more years of application security experience, with hands-on background in both penetration testing and secure development.
  • Demonstrated knowledge of OWASP Top 10 vulnerabilities, remediation techniques, and secure coding principles across web and API surfaces.
  • Experience integrating SAST and DAST assessments into software development workflows, including false positive triage and reporting.
  • Proficiency in at least one scripting or programming language such as Python, Java, JavaScript, or Bash, applied to security testing or automation.
  • Working knowledge of information security frameworks and regulations including NIST, ISO 27001, and PCI DSS.
  • Ability to communicate technical vulnerability findings clearly to both developer teams and non-technical business stakeholders.
  • Strong analytical and organizational skills, with the ability to manage concurrent assessment projects and meet defined remediation timelines.

6. Preferred Qualifications

  • Active certification in application or information security, such as CISSP, OSCP, CEH, CSSLP, or GWAPT.
  • Experience implementing DevSecOps practices including security automation, Infrastructure as Code review, and containerized environment assessments.
  • Familiarity with cloud security controls across at least one major platform such as AWS, Azure, or GCP, including identity and access management patterns.
  • Prior exposure to compliance assessments under SOC2, FedRAMP, or financial services regulations such as GLBA or NYDFS.

7. Success Metrics & Environment

  • Vulnerability closure rate, measuring the percentage of identified findings remediated within agreed SLA windows.
  • False positive ratio per scan cycle, reflecting the analyst's precision in triaging automated tool output.
  • Mean time from vulnerability discovery to developer notification, tracking how quickly actionable findings reach engineering teams.
  • Number of SAST/DAST assessments completed per quarter against the planned assessment schedule.
  • Security training completion rate across developer and QA populations receiving analyst-delivered content.
  • Typical tools: SAST platforms (commonly Checkmarx, SonarQube, or Veracode); DAST and penetration testing suites (commonly Burp Suite Pro or OWASP ZAP).

8. Compensation & Benefits (US Market Benchmark)

  • Base Salary Range: $95,000 to $130,000 annually, depending on experience and location
  • Bonus: Annual performance bonus of 5 to 10 percent of base salary
  • Equity: Stock options or RSUs offered at many technology employers; varies by company stage
  • Health Benefits: Medical, dental, and vision coverage; employer typically covers majority of premiums
  • PTO: 15 to 20 days annually, plus public holidays and sick leave
  • Common Perks: Professional development and certification reimbursement, home office stipend, and flexible or hybrid work arrangements


Figures are estimates based on general US market benchmarks and may be outdated. Adjust based on location, company size, and seniority level.

9. EEO & Legal

Employment decisions are made without regard to race, color, religion, sex, national origin, age, disability, genetic information, veteran status, or any other characteristic protected under applicable federal, state, or local law. Candidates requiring a reasonable accommodation during any stage of the application or employment process may request one at any time. All offers of employment are contingent on successful completion of a background check. Applicants must be authorized to work in the United States.

Application Security Analyst Job Description Examples

1. Application Security Analyst (eCommerce & Mobile Security)

The Application Security Analyst owns application security across multichannel ecommerce, mobile, and customer relations operations to maintain a consistent security posture enterprise-wide. Reporting to the security leadership, the analyst partners with business unit and service provider teams to embed secure coding practices and maintain PCI DSS compliance.


Key Responsibilities

  • Ensure ongoing security of multichannel operations covering ecommerce, mobile, and customer relations.
  • Help embed security in the development and operational lifecycle, and show continued security value by presenting risk from the customer and business perspective.
  • Ensure teams have what they need to deliver secure code and applications, including the skills, tools, and training.
  • Perform static and dynamic security testing, including code scanning, hands-on targeted assessments, and ethical hacking.
  • Own security toolsets for the discovery and investigation of potential vulnerabilities and activity monitoring.
  • Review and advise on application architecture and designs.
  • Network with industry peers on general and targeted threat intelligence.
  • Act as security evangelist and mentor to the business and development teams.
  • Identify and pursue opportunities for continuous improvement.
  • Help maintain PCI DSS and other regulatory compliance.


Required Qualifications

  • Experience in the full software development lifecycle from design to deployment, with knowledge of Agile methodologies.
  • Strong understanding of application security including web application security, secure coding, SDLC, hacking techniques and the evolving threat landscape.
  • Demonstrable programming ability in Java, Python or C# with an in-depth understanding of underpinning techniques.
  • Knowledge of software security standards such as OWASP, BSIMM and current information security regulations such as PCI DSS, ISO27000 series and GDPR.
  • Experience with SAST and DAST security tools, web application firewalls and infrastructure security scanning software.
  • Technical mindset with aptitude for analysis, investigation, and ability to analyze and prioritize findings.
  • Strong communication skills including written and verbal, with presentation ability and a naturally collaborative, adaptable disposition.
  • Problem-solving, attention to detail, analytical, and sound judgment and decision-making skills.

2. Application Security Analyst (Security Risk Assessment)

Embedded within the cybersecurity governance team, the Application Security Analyst shapes the review of IT application documentation, including architectural diagrams and security questionnaires, to identify cybersecurity risks. Working closely with stakeholders, colleagues, vendors, and the CISO, the analyst tracks minimum security requirements and presents escalations to Business Risk Leaders to safeguard sensitive data.


Core Functions

  • Review cybersecurity aspects within delivered IT application documentation, including architectural diagrams and security questionnaires, and analyze for potential cybersecurity risks.
  • Gather additional information through collaboration with various stakeholders, including colleagues and vendors.
  • Place potential risks in the correct context of the sensitivity level of the processed data.
  • Align and co-review with colleagues to help them understand technical risks to data.
  • Negotiate, accept and track minimum security requirements.
  • Formally document the review process and present findings to the CISO for final approval and establish follow-up actions.
  • Prepare and present escalations to Business Risk Leaders.
  • Report status to varying stakeholders.


Qualifications & Experience

  • Bachelor's degree in Computer Science, Information Systems or a related field, or equivalent experience.
  • Minimum 1-2 years of relevant work experience in application security or a comparable position.
  • Familiarity with ISO 27001, ISO 27002, NIST and other recognized information security standards, including OWASP.
  • Knowledge of IT networks, operating systems, and application security standards.
  • Strong analytical skills with the ability to understand abstract concepts and communicate IT security to stakeholders of varying technical backgrounds, including developers, lawyers, and managers.
  • Demonstrated success working with all levels of an organization.
  • Excellent written and verbal communication skills in English.

3. Application Security Analyst (Security Analytics & Monitoring)

Reporting to the information security leadership, the Application Security Analyst builds and manages application security tools across the Springer Nature ecosystem to enable proactive and reactive countermeasures against cyber threats. Partnering with internal teams and third-party vendors, the analyst drives the security champion model to strengthen application security policies and reduce business risk.


Primary Duties

  • Integrate and manage application security tools within the Springer Nature ecosystem.
  • Perform security testing and reviews of applications.
  • Provide solutions that mitigate vulnerabilities.
  • Maintain supporting documentation.
  • Develop, implement and review application security policies.
  • Drive the security champion model within the application security area.
  • Nurture intra-team relationships and manage third-party relationships.


Skills & Qualifications

  • Bachelor's degree in Computer Science.
  • Security-related certification required.
  • Genuine interest in cybersecurity.
  • At least 5 years of working experience in information security or a related field.
  • Good working knowledge of CI/CD, secure development lifecycle and programming languages.
  • Able to articulate the strategic goals of the team and work within a diverse team.

4. Application Security Analyst (Cloud Security Operations)

Sitting at the intersection of IT security operations and compliance management, the Application Security Analyst leads internal and external audits and information security assessments for cloud-based solutions. Operating across Azure Sentinel, Azure Security Center, and on-premise systems, the analyst guides junior SOC staff and serves as the primary contact for security incident investigation and response.


Duties

  • Support development and implementation of IT Security Operations and Compliance management for cloud-based solutions.
  • Serve as the primary contact for information security incident investigation and coordinate incident response and reporting.
  • Conduct internal and external audits and information security assessments by clients.
  • Develop policies, standards, processes, procedures and guidelines for Security Monitoring.
  • Provide guidance and expertise regarding security architecture for new initiatives.
  • Act as subject matter expert on relevant regulations, frameworks and standards such as ISO 27001, NIST and ITSG-33.
  • Monitor and manage security dashboards in Azure Sentinel and Azure Security Center, customize reports and produce metrics per client needs.
  • Monitor health of security solutions including firewalls, IPS, identity management and endpoint security for cloud-based and on-premise systems.
  • Work with Business and IT support engineers and vendor teams to resolve issues, guide junior SOC staff and prepare shift turnover reports.


Requirements

  • Bachelor's or Master's degree in Computer Science, Engineering, Information Technology, Cybersecurity or related field.
  • Preferred certifications include CEH, CISSP, or CISA.
  • Minimum 4 years of experience in Information Security management and Security Incident Response and Operations management.
  • Expert knowledge of information security management frameworks such as NIST and ISO, including malware operation, threat landscape, and APT.
  • Experience producing threat and risk assessment reports, delivering IT security awareness training, and conducting security assessments and authorization activities.
  • Good understanding of computer forensic techniques and methodologies.
  • Proven interpersonal and collaborative skills.
  • Excellent written and verbal communication skills with ability to convey security and risk concepts to both technical and non-technical audiences.

5. Application Security Analyst (Threat Detection & Red Team Operations)

A key member of the information security team, the Application Security Analyst delivers purple and red team exercises and technical security reviews across the software development lifecycle. Collaborating across multiple internal platforms, the analyst maintains ATP rule sets and provides business-aligned remediation recommendations to defend against phishing, malware, and emerging threats.


Functions

  • Conduct purple and red team exercises.
  • Perform technical and security analysis reviews and assessments within the software development lifecycle.
  • Monitor and report on security events across multiple internal platforms.
  • Maintain ATP rule sets to protect against phishing, malware, BEC and other threats.
  • Address end user support requests for information security issues and SOC escalations.
  • Perform analysis, validation and provide business-aligned remediation recommendations for identified or emerging threats.
  • Maintain up-to-date knowledge on information security best practices and emerging threats.
  • Assist information security team members with project tasks, troubleshooting and administration responsibilities.


Experience & Qualifications

  • Bachelor's degree in Computer Information Systems, related field or equivalent experience.
  • CISSP, OSCP or other security certifications preferred.
  • 3-5 years of experience in a security analyst or similar technical role.
  • Demonstrated scripting and software development proficiency in C/C++, Java, Python, Bash or PowerShell.
  • Experience with security assessment tools such as Nexpose, Burp Suite, AppScan and WebInspect, and conducting penetration testing in an enterprise environment.
  • Understanding of web application architecture, OWASP Top 10, SANS Top 25, cloud computing risks and industry-standard encryption and cybersecurity technical controls.
  • Work experience with Cisco, Active Directory, Okta, SSO applications, Office 365, VMware, Windows, Unix/Linux, IDS, SIEM and other security-focused tools preferred.
  • Strong organizational, analytical and communication skills.
  • Ability to work with minimal supervision, establish priorities and travel as needed.

6. Application Security Analyst (Penetration Testing & SDLC Security)

Proactive risk mitigation across the software development lifecycle depends on the Application Security Analyst, who builds governance processes for secure development and conducts vulnerability and penetration tests against defined systems. Serving as a key advisor to senior management, the analyst monitors network and database traffic and collaborates company-wide to ensure information security risks are properly addressed.


Accountabilities

  • Identify information security risks at the application level at each stage of development, and proactively work to ensure risks are identified, assessed and mitigated.
  • Integrate static and dynamic code analysis tools into the SDLC and build a governance process for secure development principles and best practices.
  • Monitor and review network application traffic and database transactions across endpoints, datacentres and clouds, and correlate to identify unexpected behavior or intrusions.
  • Conduct vulnerability and penetration tests against defined systems.
  • Identify and propose key application security priorities, initiatives and tools, and provide risk severity assessments and cost-benefit recommendations.
  • Collaborate across the company to ensure information security risks in ongoing and planned operations are properly considered and compliance requirements are met.
  • Monitor application security trends and keep senior management informed about related issues and implications.
  • Participate in the Security Incident Response Process and assist with disaster recovery, business continuity planning and after-hours incident response as needed.


Technical Qualifications

  • Education background in Information Security, Computer Science or Information Management Systems, or equivalent understanding of common web application technologies.
  • Two years of experience in Information Security Auditing, with a real interest in application security assessment.
  • Technical skills in secure coding standards, application security testing, Java programming, ethical hacking, cloud security architecture and vulnerability management.
  • Familiar with penetration testing tools including NMAP, Nessus, Burp, ZAP, Nexpose, Kali Linux and Metasploit, as well as threat modeling and attack vector analysis.
  • Experience developing in Java, Python, HTML or JavaScript.
  • Basic understanding of data centre and public cloud environments.
  • Familiarity with information security standards and regulations including PCI DSS, HIPAA, NIST, ISO27000, OWASP, SANS and ITIL.
  • An analytical and detail-oriented approach.
  • Strong written and oral communication skills.

7. Application Security Analyst (SAST/DAST Vulnerability Management)

As the Application Security Analyst, this role leads source code security scanning, web application scanning, and application threat modeling, including onboarding applications to scanner tools and conducting false positive analysis. The development team relies on this work to receive clear vulnerability remediation guidance and walk-throughs that strengthen application security posture.


Activities

  • Perform application architecture review and scoping.
  • Work with various tools for application scanning and automation, including configuration of applications for CI/CD and SAST/DAST enablement.
  • Schedule, prioritize, and fine-tune SAST/DAST assessments of applications according to policies.
  • Conduct false positive analysis, code reviews, vulnerability reproduction and retesting.
  • Assess risk, recommend remediation, generate vulnerability reports, and provide feedback to developers and management.
  • Continually improve SAST/DAST processes and perform threat modeling.


Position Requirements

  • Bachelor's degree in an IT-related field.
  • SAST/DAST certifications required.
  • At least 2 years of coding or developer experience with understanding of the SDLC process.
  • Good foundation in computer programming including data structures, design patterns, OOP, algorithms and software design.
  • Working knowledge of MS Windows or Linux.
  • Working knowledge of secure coding practices, code review methods, web service technologies such as XML, REST, SOAP, JSON, HTML5 and JavaScript.
  • Familiarity with security standards including CIS, COBIT, ISO 27001, NIST SP800-53, PCI-DSS, OWASP.
  • Knowledge of application security vulnerabilities and remediation.
  • Proficient with SAST tools including SonarQube, Checkmarx, Fortify and Veracode, and DAST tools, including Acunetix, AppScan, Burp Suite, Nessus and WebInspect.
  • Good oral and written communication skills with strong attention to detail, documentation, and organizational skills.

8. Application Security Analyst (Secure Development & Penetration Testing)

Application Security Analyst delivers secure web application development at Paycom by partnering with product design and development staff to build security into applications, performing penetration tests, and documenting remediation steps. The work directly supports developer training and ongoing protection of Paycom's internally developed application security tools.


Operational Focus

  • Understand how to identify, exploit, and remediate common application vulnerabilities through use of tools and code review.
  • Use penetration testing skills, tools and methodology to test new applications and services.
  • Enforce secure development standards and requirements.
  • Contribute to application security development projects and discussions as needed.
  • Utilize SAST/DAST and other products to identify security vulnerabilities.
  • Develop and participate in security-focused training for Paycom's development team.
  • Perform research on new security trends, tools and techniques to improve existing processes.
  • Prioritize and track assigned security issues, help onboard new team members and perform additional duties as requested.
  • Maintain professional working relationships with other departments through clear communication.


Knowledge Skills & Abilities

  • Bachelor's degree required.
  • CSSLP, CISSP, GWAPT, CEH or other applicable certifications preferred.
  • Passionate about information security.
  • 1+ years of development experience and 3+ years of secure development experience.
  • Strong knowledge of web application vulnerabilities, exploits, remediation techniques, secure development and secure architecture.
  • Familiar with dynamic and static testing tools, techniques and secure coding principles and architecture.
  • Excellent communication skills with ability to work as part of a larger team.
  • Ability to work flexible hours, including weekends and evenings and respond to emergencies as required.

9. Application Security Analyst (DevSecOps & Cloud Security)

The Application Security Analyst develops vulnerability assessment and penetration testing programs across cloud and on-premises environments covering web, mobile, API, and desktop applications. Reporting to the security engineering team, the analyst designs CI/CD security automation using a shift-left approach and builds internal knowledge and tooling for development, QA, and security stakeholders.


Key Deliverables

  • Conduct vulnerability assessments and penetration testing in cloud and on-premises environments against web, mobile, API and desktop applications.
  • Analyze vulnerabilities and deliver clear written reporting identifying risks and providing mitigation recommendations.
  • Design and implement security automation as part of CI/CD pipelines to proactively uncover vulnerabilities using a shift-left approach.
  • Design and implement secure architecture to protect the confidentiality, integrity and availability of CI/CD pipelines.
  • Work with stakeholders across development, QA, program management and security teams to provide security automation tools and maintenance training.
  • Build internal knowledge, processes, KPIs and tools, and create artifacts for various stakeholders and customers.


Professional Experience

  • Security certifications preferred, including CEH, OSWE, CSSLP or GWAPT.
  • 5+ years of cybersecurity expertise with minimum 3+ years in application security, preferably including DevSecOps implementation.
  • Understanding of DevSecOps, CI/CD integration, Agile security testing methodology and secure software development lifecycle processes.
  • Strong knowledge of methodologies including OWASP and SANS.
  • Ability to conduct vulnerability assessments and penetration testing using tools such as Fortify, Veracode, AppScan and BurpSuite.
  • Experience with at least one cloud platform (Azure or GCP), one scripting language (Bash, Python or Ruby), containerization and Kubernetes, and at least one Infrastructure as Code solution such as Terraform or Ansible.
  • Experience in automating and templating security processes and documentation for compliance purposes.

10. Application Security Analyst (Code Review & Secure Architecture)

Embedded within the information security team, the Application Security Analyst refines application security assessments through manual code reviews, static vulnerability scanning, and false positive analysis. Working closely with software engineers across development teams, the analyst advances secure architecture and coding standards organization-wide while communicating technical and business risk of discovered vulnerabilities to support remediation efforts.


Areas of Ownership

  • Perform application security assessments including manual code reviews, static vulnerability scanning, vulnerability validation and false positive analysis.
  • Enhance existing application security tools and introduce new tools where applicable.
  • Work closely with software engineers across development teams to build secure architecture and coding standards organization-wide.
  • Communicate technical and business risk of discovered vulnerabilities, including remediation recommendations, and support internal teams in remediation efforts.
  • Keep abreast of the latest technology risks and contribute to the information security strategy and its rollout.


Education & Experience

  • Degree in Computer Science and Engineering.
  • Certifications preferred, including GPEN, GXPN, GMOB, GWAPT, OSWE, OSCP, OSCE, OSWP, CNCF or AWS.
  • 5+ years in security and 2+ years in software development, with experience in application security, code reviews and penetration testing.
  • Experience in web application security, mobile security and API security, with knowledge of application vulnerabilities, business logic flaws and security risk assessment.
  • Experience with penetration testing tools including Burp Suite Pro, OWASP ZAP, Postman, Kali Linux, SQLMap and Nessus, and familiarity with Google, Kubernetes, Docker and Terraform.
  • Programming language skills in Java, ReactJS, or NodeJS JavaScript are advantageous.
  • Proficiency in OWASP Code Review Guide and automated code scanning triage.
  • Excellent communication skills with ability to convey complex vulnerabilities to internal teams.

11. Senior Application Security Analyst (Enterprise Application Security Testing)

Reporting to the application security leadership, the Senior Application Security Analyst oversees dynamic and static security assessments of ADP applications across web, mobile, premise-based, mainframe-based and Citrix-based platforms. Partnering with development teams, the analyst documents vulnerability ratings with proof of concepts and provides technical support to junior application security analysts.


Role Responsibilities

  • Conduct hands-on security assessments on web, mobile, premise-based, mainframe-based and Citrix-based applications.
  • Perform source code reviews.
  • Assess and document vulnerability ratings with proper proof of concepts as necessary.
  • Assist development teams in understanding vulnerabilities by providing required information and suggesting application-specific fixes.
  • Provide technical support to junior application security analysts.


Background & Experience

  • Bachelor's degree in Computer Science, Computer Engineering, Software Engineering, Information Technology, or a related field.
  • 5-8 years of experience in application security with expertise in penetration testing of web, mobile (iOS and Android), and REST/SOAP APIs.
  • Preferred experience assessing thick-client and embedded applications, and leading application security teams in Agile environments.
  • Experience in Secure Source Code Analysis and SAST, and the ability to assess risk, write proof of concepts, and perform in-depth exploitation.
  • Expertise in Python or Ruby, with hands-on development knowledge in Java or .NET as an advantage.
  • Exceptional problem-solving skills.
  • Excellent communication and presentation skills, and able to work independently and as part of remote teams, with a self-motivated, positive attitude.

12. Application Security Analyst (Multi-Platform Security Testing)

Sitting at the intersection of security testing and project delivery, the Application Security Analyst oversees SAST and DAST across web, API, thick client, and mobile applications and supporting infrastructure. Operating across multiple simultaneous projects, the analyst leverages business requirements and design documents to create targeted security user stories and analyzes source code to mitigate identified weaknesses and vulnerabilities.


Job Functions

  • Perform SAST and DAST on various application types including web, APIs, thick clients, and mobile, as well as supporting infrastructure.
  • Leverage application artifacts such as business requirements, user stories, and design documents to understand testing scope and create targeted security user stories or misuse cases.
  • Manage and execute security assessments for multiple projects simultaneously and ensure project timelines are met.
  • Identify opportunities for process improvements and automation.
  • Analyze source code to mitigate identified weaknesses and vulnerabilities.


Minimum Qualifications

  • Bachelor's or Master's degree or equivalent experience, preferably with Java development experience.
  • 5-8 years of relevant experience in application security.
  • Knowledge of security tools such as Burp Suite, Checkmarx, and Blackduck.
  • Strong technical writing and presentation skills to report and articulate vulnerability assessment results to any audience.
  • Consistently demonstrates clear and concise written and verbal communication.
  • Proven influencing and relationship management skills.

13. Application Security Analyst (Vulnerability Remediation & Secure Coding)

A key member of the application security team, the Application Security Analyst produces remediation guidance by identifying, exploiting and resolving common application vulnerabilities through tools and code review. Collaborating across development teams, the analyst onboards applications into SAST, DAST and open source scanning solutions while providing threat feedback on new features and releases.


What You'll Do

  • Understand how to identify, exploit and remediate common application vulnerabilities through use of tools and code review.
  • Onboard applications into SAST, DAST and open source scanning solutions.
  • Provide education on security practices and methodologies to resolve vulnerabilities.
  • Execute and monitor application security controls to protect the organization's applications from attack.
  • Provide threat and security feedback for application development teams on new features or releases.
  • Use penetration testing skills, tools and methodology to test new applications and services.
  • Maintain and enhance documentation, manage projects and work independently with limited supervision.


Required Qualifications

  • 3-5 years of experience in application security, including 1-2 years of hands-on programming.
  • Familiar with dynamic and static testing tools, secure coding principles and architecture.
  • Basic skills in attacker methods, IDS, WAFs, API security, TCP/IP, cryptography, and Windows or Unix security.
  • Experience in code analysis, scripting, testing, automation and AppSec tools.
  • Understanding of OWASP vulnerabilities and methodologies.
  • Basic cloud knowledge.
  • Experience in FinTech and/or payments industry preferred.

14. Senior Application Security Analyst (Risk Remediation)

Effective risk reduction across supported groups depends on the Senior Application Security Analyst, who refines automated and standardized information security controls and resolves vulnerabilities detected in applications or infrastructure. Serving as a trusted advisor, the analyst directs the development of secure solutions, analyzes root causes, and drives compliance with applicable laws and policies.


Day-to-Day Responsibilities

  • Identify opportunities to automate and standardize information security controls for supported groups.
  • Resolve vulnerabilities or issues detected in applications or infrastructure.
  • Analyze source code to mitigate identified weaknesses and vulnerabilities.
  • Review and validate automated testing results and prioritize actions based on overall risk.
  • Scan and analyze applications with automated tools and perform manual testing if necessary.
  • Reduce risk by analyzing root causes, their impact and required corrective actions.
  • Direct the development and delivery of secure solutions by coordinating with business and technical contacts.
  • Assess risk appropriately when business decisions are made, drive compliance with applicable laws and policies, and escalate and report control issues with transparency.


Qualifications & Experience

  • Bachelor's degree required, Master's degree preferred.
  • 6+ years of relevant experience in application security or a related field.
  • Advanced proficiency with Microsoft Office tools.
  • Clear and concise written and verbal communication.
  • Proven influencing, relationship management, and analytical skills.

15. Application Security Analyst (Security & Privacy by Design)

As the Application Security Analyst, this role leads security and privacy by design within applications developed by The Economist Group, integrating controls throughout the development lifecycle. The information security function relies on this work to coordinate security testing, lead incident response, and protect against sensitive data loss or compromise.


Scope of Work

  • Integrate security design principles, tools and processes seamlessly into the application development lifecycle.
  • Lead and coordinate application security testing tasks, conduct security code reviews and ensure security best practices are followed.
  • Ensure that testing results and remediation progress are communicated effectively to stakeholders, and lead the prioritization and tracking of security findings.
  • Recommend security controls and identify solutions that support business objectives.
  • Perform threat modeling as part of the application security pipeline and develop controls to manage risks.
  • Identify and communicate relevant security threats to application platforms at all organizational levels.
  • Participate in and lead incident response from discovery through recovery, lessons learned and remediation, and protect against sensitive data loss or compromise.


Skills & Qualifications

  • University degree in Math, Science or Computer Science, or equivalent.
  • Security-related certification such as CISSP, CISM, CEH or OSCP is highly desirable.
  • Proven experience in programming languages such as Python and JavaScript.
  • Experience in an AWS cloud environment.
  • Strong understanding of OWASP Top 10.
  • Experience in security incident response and risk management desirable.
  • Excellent communication, interpersonal and influencing skills, with ability to deal with all levels of the organization and communicate regulatory compliance.
  • Organized, analytical, detail-oriented, inquisitive and self-motivated, with ability to manage multiple priorities and meet deadlines.
  • Experience in media and entertainment, or international work experience, is desirable.

16. Application Security Analyst (Vulnerability Scanning & Monitoring)

Application Security Analyst oversees web application vulnerability scanning and monitoring of Windows and web servers in production, generating vulnerability identification reports and evaluating application vulnerability reports for the organization. The work directly supports development teams in remediating web application vulnerabilities and validating remediation results through additional scans and continuous monitoring.


Work Activities

  • Administer and support web application security tools including Veracode, Acunetix, and Qualys.
  • Perform application security scans and generate standard reports including OWASP-style reports using vulnerability scanning tools.
  • Analyze and review security issues in reports and work with development teams to remediate findings.
  • Create and maintain documentation for security best practices within the application development lifecycle.
  • Keep track of all vulnerabilities related to web applications and web servers, including IIS.
  • Monitor web application availability and performance using SolarWinds SAM and SIEM tools, and acknowledge and communicate alerts to responsible teams.
  • Create and analyze Application Health Reports using SAM and address any potential issues found.
  • Maintain knowledge of new security trends and technologies.


Requirements

  • Undergraduate degree in Computer Science, Mathematics, Engineering, Information Technology, or a related field, or equivalent experience.
  • 3-5 years of experience in security testing in a Microsoft environment, with related skills and training in Windows environments.
  • Experience identifying web application vulnerabilities and evaluating security controls, and presenting findings in verbal and written reports.
  • Proficient with web application security scanning tools including Veracode, Acunetix and Qualys, and server and application monitoring tools including SolarWinds SAM and SIEM.
  • Knowledge of fundamental operations of relevant software, hardware, and equipment, and customer service practices.
  • Proficient with Microsoft Office products including Word, Excel, PowerPoint, Visio and SharePoint.
  • Strong oral and written communication skills with attention to detail, problem-solving ability and stress tolerance.

17. Application Security Analyst (Mobile Application Security)

The Application Security Analyst guides mobile application security testing at NowSecure by utilizing hacking and penetration testing techniques to evaluate mobile apps, devices, and web services. Reporting to the R&D collaboration structure, the analyst communicates data risk profiles to customers and consults with developers to remediate vulnerabilities.


Performance Expectations

  • Understand specific security details related to mobile apps, devices, and operating systems.
  • Utilize hacking and penetration testing techniques to target mobile apps and web services, and test their security.
  • Examine transmitted and stored data for personally identifiable information and mobile application artifacts.
  • Present specific intelligence on the data risk profile of applications when in actual use.
  • Communicate about security with both end users and technical audiences.
  • Identify key strategies for remediation of vulnerabilities and create technically sound and actionable reports for customers.
  • Consult with developers to help them remediate vulnerabilities.
  • Monitor the mobile security industry continuously and work with the R&D team to support continuous upgrades and new mobile security solutions.
  • Work in an agile and expedited project structure.


Experience & Qualifications

  • Bachelor's degree in Computer Science, Computer or Electrical Engineering, or equivalent experience.
  • Applicable certifications include CISSP, OSCP, CHFI, CEH, GPEN, or GWAPT.
  • 3+ years of IT security experience.
  • Experience in Linux, command line, configuration, and scripting.
  • Strong fundamental understanding of security.
  • Experience in reverse engineering mobile apps a plus.
  • Familiarity with industry standards as they relate to mobile, including OWASP, CWEs, and CVSS.
  • Strong communication skills, high level of professionalism and fluency in written and spoken English.
  • Ability to work independently and with a team.

18. Application Security Analyst (Security Control & Compliance Assessment)

Embedded within Okta's Security Integration team, the Application Security Analyst executes security control testing and gap assessments against frameworks including SOC2, ISO, FedRAMP and PCI for new product integrations. Working closely with cross-functional teams and process owners, the analyst documents policies, supports IT computing environment audits, and strengthens Okta's security-first approach to product development.


Core Responsibilities

  • Assist in security control testing and develop recommendations based on confirmed observations.
  • Perform gap assessments against security frameworks including SOC2, ISO, FedRAMP and PCI, and help process and control owners understand gap results and identify remediation options.
  • Work with cross-functional teams to design and document policies and processes.
  • Assist with audits of the company's IT computing environment with focus on security controls.
  • Perform other IT security and compliance-related tasks as assigned by management.


Technical Qualifications

  • Bachelor's degree in Computer Science, Management Information Systems or equivalent experience.
  • In-depth knowledge of IT security frameworks and best practices including NIST-800 publications, FedRAMP, CoBIT, CCM and Trust Principles and Criteria.
  • Working knowledge of AWS, GCP or Azure, and terms and concepts used in information security, privacy, risk assessments and contingency planning.
  • Experience reviewing product architecture and security control implementation.
  • Strong analytical, problem-solving and communication skills.
  • Ability to work independently or as part of a team.

19. Application Security Analyst (Penetration Testing & Security Champions)

Reporting to the information security manager, the Application Security Analyst executes penetration testing on in-house developed web and mobile applications and designs proof-of-concept attacks for discovered vulnerabilities. Partnering with development teams, the analyst guides OWASP Top 10 training and promotes the Security Champions community to maintain the Secure Software Development Lifecycle.


Key Responsibilities

  • Perform penetration testing on in-house developed web and mobile applications.
  • Design proof-of-concept attacks related to discovered vulnerabilities.
  • Provide training to development teams on best practices around OWASP Top 10.
  • Help development teams with static code analysis report reviews and best fixes.
  • Promote initiatives to strengthen the Security Champions community.
  • Help maintain the Secure Software Development Lifecycle across all its stages.


Position Requirements

  • Bachelor's degree or equivalent in Computer Science, Information Security or a related field.
  • Certified in Information Security such as OSCP, CEH or similar.
  • 3+ years of experience in a similar position or in another information security field, with a background in software development or application penetration testing.
  • Passionate about problem-solving with strong analytical skills.
  • Fluent in English (written and spoken).
  • Self-motivated team player who can work with minimal supervision.

20. Application Security Analyst (Secure Coding & Vulnerability Management)

Sitting at the intersection of application development and cybersecurity, the Application Security Analyst elevates secure coding practices at Trek by guiding developers through static and dynamic code analysis and process documentation. Operating across governance, compliance, and third-party vendor relationships, the analyst tracks vulnerability remediation, develops quality metrics, and creates training materials for development and QA teams.


Core Functions

  • Participate in security testing and assessments, and develop comprehensive security test suites and processes with developers and QA teams.
  • Evaluate and prioritize newly discovered or reported software vulnerabilities by risk.
  • Interact with other departments to communicate status and priority of open vulnerabilities and understand the current state of remediation within defined timelines.
  • Develop, maintain and report quality metrics on application vulnerability status, trends and level of risk.
  • Create training and informational materials for development and QA teams on common vulnerability types and Secure Software Development Lifecycle frameworks.
  • Work closely with governance and compliance roles to ensure compliance with applicable regulations such as PCI-DSS, GDPR and CIS controls.
  • Analyze static code analysis reports for internally developed applications and maintain dynamic and static analysis toolsets.
  • Collaborate with third-party security vendors to track open security issues and effectively apply security tools to the application environment.


Knowledge Skills & Abilities

  • Bachelor's degree in Computer Science, Information Systems, Electrical Engineering or related field, or equivalent experience.
  • 5 years of work experience in application development, IT or cybersecurity, with at least 2 years in application development.
  • Proficiency in .NET (C#), Java and JavaScript, with experience in web and application servers such as IIS, Jetty, Tomcat and Nginx, and database servers such as Microsoft SQL Server and Oracle DB.
  • Experience with security tools including BurpSuite, OWASP ZAP, Tenable, OpenVAS, SonarQube, Veracode and Qualys, as well as cloud platforms such as Microsoft Azure and Docker.
  • Proficiency in scripting languages such as PowerShell, Bash, Python, Ruby or Node.js.
  • Understanding of continuous integration methodology and associated tools.
  • Strong knowledge of security frameworks and regulations including OWASP, CIS, PCI-DSS, GDPR and NIST.
  • Familiarity with threat modeling, API security, encryption and application reverse engineering.
  • Demonstrated ability to meet deliverables and deadlines.
  • Experience writing technical documentation and high personal integrity.

21. Application Security Analyst (Risk Assessment & Compliance Monitoring)

A key member of the information security team, the Application Security Analyst coordinates testing, monitoring, and risk assessments to ensure secure operation of company applications and systems. Collaborating across IT, development, and vendor teams, the analyst evaluates technology improvements, conducts compliance assessments, and maintains current knowledge of emerging security threats and best practices.


Primary Duties

  • Provide technical analysis of threats and vulnerabilities and assist with risk assessments of technologies and processes.
  • Evaluate technology improvements that would provide greater security protections for applications, systems and networks.
  • Conduct compliance assessments against industry best practices and provide recommendations.
  • Perform regular vulnerability assessments and ensure timely remediation of findings and communication of risks.
  • Monitor and test the effectiveness of internal application security systems including patch management, anti-virus, access control, authorization management and IDS/IPS components.
  • Provide support on secure coding, design and architecture for enhancing application security compliance.
  • Collaborate on IT, application development and information security projects to ensure security issues are addressed throughout the project lifecycle.
  • Maintain current knowledge of hacking tools, techniques, disaster recovery plans and security expertise across applications and systems.
  • Analyze results of security assessments and work with system and application owners to remediate issues.
  • Interact with vendors and consistently follow department and organizational policies and procedures.


Professional Experience

  • Two or more professional certifications preferred, including CISSP, CSSLP, GWEB, CASE, CASS, CISA or CRISC.
  • Minimum 5 years of experience in a corporate network environment.
  • Expertise in information security frameworks such as ISO 27001, ITIL, COBIT and NIST.
  • Strong knowledge of OWASP Top 10 vulnerabilities and remediation best practices.
  • Experience with static and dynamic vulnerability analysis using tools such as SonarQube, BurpSuite, Nessus, Rapid7 and Metasploit.
  • Comprehensive understanding of Internet standards and protocols including TCP/IP, REST, SAML and HTTP/HTTPS, as well as B2B security approaches including OAUTH2, OIDC and SSO.
  • Solid understanding of data privacy laws and regulatory requirements such as FFIEC, SOX, GLBA, PCI-DSS and NYDFS.
  • Virtualized hosting and deployment experience using platforms such as GitHub, AWS, Azure, DevOps and Jenkins.
  • Proven analytical and problem-solving abilities.
  • Strong interpersonal, written and oral communication skills.
  • Ability to prioritize in high-pressure environments.

Editorial Process and Content Quality

This content is developed by the Lamwork Editorial Team using structured analysis of real-world job data, skill requirements, and hiring patterns.

Research framework by Lam Nguyen, Founder & Editorial Lead.

Reviewed by Thanh Huyen, Managing Editor.

Learn more about our editorial standards.