APPLICATION SECURITY ENGINEER JOB DESCRIPTION
See how companies define the Application Security Engineer role, from threat modeling to secure code review and DevSecOps practices.

Application Security Engineer Job Description Template
1. About the Role
Every week, software shipped without adversarial review becomes tomorrow's breach report. Application Security Engineers own the gap between what developers build and what attackers eventually find - running threat models, tearing apart source code, and embedding security controls before a single line reaches production. In technology companies delivering SaaS products to B2B and B2C customers, this role answers directly to engineering leadership and operates across the full range of web, mobile, and cloud-exposed surfaces. The OWASP ASVS framework and CWE/SANS Top 25 define the baseline; the daily reality is defending against XSS, SSRF, injection, and authentication flaws in fast-moving release cycles.
2. Position Summary
As the Application Security Engineer, you safeguard the integrity of product releases by identifying vulnerabilities through code review, penetration testing, and automated scanning before they reach customer-facing environments. You work embedded in engineering and product cycles, collaborating with developers, architects, and security leadership to translate risk findings into actionable remediation plans that keep delivery timelines intact.
3. Why Join Us
Career Impact: Hands-on ownership of SAST/DAST toolchain integration and bug bounty triage builds a portfolio of measurable security improvements that distinguish you from generalist engineers in the application security market.
Business Impact: When exploitable vulnerabilities reach production in SaaS platforms, customer data and uptime both suffer - your reviews and threat models are the primary technical control preventing that outcome for product teams shipping weekly.
Growth Opportunity: Consistent exposure to threat modeling, secure architecture review, and DevSecOps pipeline design accelerates the path toward senior AppSec roles, security architecture, or OSCP/CSSLP certification that command premium compensation in the technology sector.
4. Key Responsibilities
- Conduct threat modeling and security architecture reviews for new features, cloud deployments, and major product releases.
- Review source code across web and mobile applications to identify injection flaws, authentication gaps, and authorization bypass vulnerabilities.
- Design and maintain automated security scanning coverage within CI/CD pipelines, including static and dynamic analysis tooling.
- Perform penetration testing against web applications, APIs, and cloud-hosted services to validate controls and uncover residual risk.
- Partner with software engineers and product teams to communicate vulnerability findings and verify that remediation meets the required standard.
- Develop and deliver secure coding training, threat modeling workshops, and security champion materials for engineering teams.
- Coordinate external penetration testing engagements and bug bounty program triage, tracking findings through to verified closure.
- Monitor emerging threats, CVEs, and changes to frameworks such as OWASP Top 10 and CWE/SANS Top 25 to keep program guidance current.
5. Required Qualifications
- Bachelor's degree in Computer Science, Information Security, Cybersecurity, or equivalent work experience.
- 3 or more years of application security experience, with at least 2 years of hands-on software development in a professional environment.
- Working knowledge of OWASP Top 10, CWE/SANS Top 25, and secure SDLC frameworks such as OWASP ASVS or BSIMM.
- Ability to read, debug, and assess security implications of code written in at least two languages, including one compiled and one scripted.
- Experience with threat modeling methodologies and security architecture review across web, API, and cloud application layers.
- Understanding of authentication and authorization standards including OAuth, SAML, OIDC, and common cryptographic primitives.
- Demonstrated ability to communicate vulnerability severity, business risk, and remediation guidance to both technical and non-technical audiences.
6. Preferred Qualifications
- Active industry certification or documented progress toward OSCP, CSSLP, CEH, or an equivalent credential recognized in the application security field.
- Experience securing container-orchestrated or cloud-native services, including familiarity with least-privilege design and secrets management.
- Participation in a public bug bounty program, CTF competition, or open-source security project with verifiable contributions.
- Exposure to compliance frameworks such as SOC2, ISO 27001, PCI DSS, or GDPR as they apply to SaaS product delivery.
7. Success Metrics & Environment
- Vulnerability closure rate, measured as the percentage of confirmed findings remediated within agreed SLA windows.
- Mean time to detection, tracking how quickly new vulnerabilities are identified after code reaches the test environment.
- SAST/DAST scan coverage percentage, reflecting the share of repositories integrated into automated security pipelines.
- Penetration test finding recurrence rate, measuring whether previously remediated vulnerability classes reappear in subsequent engagements.
- Security training completion rate across engineering teams, indicating program reach and developer engagement with AppSec materials.
- Typical tools: static analysis scanners (commonly SonarQube or Checkmarx); dynamic testing platforms (commonly Burp Suite Pro or OWASP ZAP).
8. Compensation & Benefits (US Market Benchmark)
- Base Salary Range: $110,000 to $155,000 annually, depending on experience and location
- Bonus: 8 to 15 percent annual performance bonus, role and company dependent
- Equity: RSUs or stock options common at growth-stage and public technology companies
- Health Benefits: Medical, dental, and vision coverage; employer contribution varies by company size
- PTO: 15 to 20 days annually; some employers offer unlimited PTO
- Common Perks: Remote or hybrid flexibility, learning and certification reimbursement, home office stipend
Figures are estimates based on general US market benchmarks and may be outdated. Adjust based on location, company size, and seniority level.
9. EEO & Legal
Work authorization in the United States is required for this position. All qualified applicants will be considered without regard to race, color, religion, sex, national origin, age, disability, veteran status, or any other characteristic protected under applicable federal, state, or local law. Candidates requiring a reasonable accommodation to participate in the application or interview process should notify the recruiting team at the time of application. Employment in this role is contingent upon successful completion of a background check conducted in accordance with applicable law.
Application Security Engineer Job Description Examples
1. Application Security Engineer (Vulnerability Detection & Prevention)
The Application Security Engineer leads security assessments, threat analysis, and exploit mitigation efforts to protect products from emerging internet threats. Reporting to the security engineering team, the role partners with developers to drive secure tooling adoption and strengthen architecture review across the organization.
Key Responsibilities
- Conduct regular security assessments.
- Analyze, assess and respond to various internet threats.
- Analyze and assess recurring security issue patterns from security reviews and bug research programs.
- Build prototypes of tools, exploit mitigations, libraries, and frameworks used for vulnerability detection and/or prevention.
- Use native security expertise to refine detection and prevention measures.
- Drive adoption of tools and frameworks to help developers build secure products and infrastructure.
- Review new product features and changes to architecture for security, privacy and compliance issues.
- Take a leadership role in driving internal security and privacy initiatives.
- Collaborate with engineering teams to resolve security-related findings.
- Guide engineering and product on best practices around security and security architecture.
Required Qualifications
- B.S. or M.S. in Computer Science or a related field, or equivalent experience.
- Experience in contributions to the security community through public research, blogging, or presentations.
- Experience managing projects from start to finish for development and deployment of security-related processes or tooling.
- Experience performing penetration tests.
- Cloud security and security architecture experience including reviewing tech specs and RFCs.
- Application security experience with SaaS B2B platforms.
- Familiarity with native programming languages, development practices and common bug patterns.
- Familiarity with native analysis tooling and frameworks, including fuzzing and static analysis.
- Experience with JavaScript and related frameworks such as Node.js.
- Experience applying fixes to vulnerable code or other security findings.
- Effective communication skills.
2. Application Security Engineer (eCommerce Marketplace)
Embedded within the security team at an online marketplace, the Application Security Engineer shapes security automation across monitoring, application security, infrastructure, and staff devices to keep the platform safe. Working closely with development teams, the Application Security Engineer coordinates penetration tests, triages findings and builds expertise so teams can resolve similar issues independently.
Core Functions
- Help keep the online marketplace safe and take security to the next level.
- Work closely with development teams to help make security simple and compliance reporting straightforward.
- Test, build and pitch security automation across areas including security monitoring, application security, infrastructure security and staff devices.
- Support monitoring of the external environment and assessment of emerging technologies to evaluate potential impacts, threats and opportunities.
- Coordinate penetration tests, triage results and set priorities for mitigations.
- Conduct internal security consulting to spread the how and why, not just the what, to help teams triage similar issues independently.
- Perform security verification for software design and implementation.
- Help expand security monitoring and work on incidents.
Qualifications & Experience
- Sound knowledge of OWASP.
- Understanding of SDLC within an Agile framework.
- Familiar with taking unknown technologies and acquiring working knowledge quickly.
- Hands-on knowledge of security monitoring, application security (with PHP and Node.js), infrastructure security (with cloud or Kubernetes) and/or security automation.
- Flexible mindset to pick the right control from alternatives.
- Able to contextualize issues and assess their real scale and impact.
- Comfortable working autonomously, willing to take ownership and able to dive deep on technical issues.
- Ability to talk to different stakeholders, run workshops, and communicate effectively in an international, English-speaking team.
- Willing to embrace company culture and values.
3. Senior Application Security Engineer (Online Gaming & Betting)
Reporting to the security leadership team, the Senior Application Security Engineer delivers manual and automated security decision-making workflows across the software development life cycle for an online betting platform. Partnering with product, engineering and testing teams, the Senior Application Security Engineer embeds application security best practices and builds proof-of-concept fixes that demonstrably reduce risk.
Primary Duties
- Build systems and workflows to drive manual and automated security decision-making within the software development life cycle.
- Deliver outcomes that demonstrably improve security posture and reduce risk.
- Partner with internal product and engineering teams and security testing providers to embed application security and continuously improve maturity through all stages of development and delivery.
- Work on embedding security best practices such as least privilege, isolation, monitoring, authentication and authorization across the application development ecosystem.
- Create proof of concepts to enable one-click reproduction of issues, mitigations or demonstration of security control effectiveness.
Skills & Qualifications
- 2-3 years of software development experience with at least one high-level language (Python, Golang, TypeScript) followed by 3+ years in AppSec-focused roles.
- General understanding of cloud-hosted applications and services.
- Comfortable working within Agile/DevOps-based release cycles.
- Comfortable interacting with source code repository features such as GitHub Actions.
- Able to review source code to assess security implications and requirements.
- Familiarity with common security flaws, controls, libraries, and authentication technologies including OAuth and SAML.
- Experience with common application security tools.
- Ability to review code to discover and suggest mitigations for SQLi, XSS, SSRF, authentication, authorization and other web-based and mobile security vulnerabilities.
- Able to quickly learn, dig into poorly defined problems, and know when to compromise versus hold firm on security priorities.
4. Application Security Engineer (Secure Software Development)
Sitting at the intersection of application development and cybersecurity, the Application Security Engineer builds a software assurance model that addresses security defects early in the delivery pipeline at Fortris. Operating across security architecture reviews, code reviews and penetration testing, the Application Security Engineer drives secure coding adoption and improves the Secure Software Development Lifecycle for development teams.
Duties
- Research, learn, and work with the newest security tools.
- Work as part of the Fortris Security Team with a focus on application-level security.
- Implement a software assurance model designed to address security defects early in the delivery pipeline.
- Perform security architecture design reviews for new features and product releases.
- Perform code reviews and advise developers on remediation techniques.
- Be an advocate for secure coding practices across all engineering teams.
- Facilitate internal training on various security topics to raise awareness and interest.
- Manage external penetration tests and perform internal tests, leading remediation projects to enhance existing security features.
- Improve the Secure Software Development Lifecycle and keep development teams up to date with secure coding practices.
- Create documentation and presentations for security champions on the development team.
Requirements
- BS or MS degree in Computer Science or a related technical field.
- At least 5 years in cybersecurity and application development.
- Experience in Security Engineering, Threat Modelling, Penetration Testing and Security Code Review.
- Experience in OWASP ASVS implementation and verification.
- Deep knowledge of common web application vulnerabilities (Injection Attacks, XSS, CSRF) and their mitigation strategies.
- Deep knowledge of OWASP and PTES standards and methodologies.
- Experience in developing web applications and Java programming.
- Experience with secure coding practices and automating security checks in pipelines.
- Hands-on experience implementing and tuning SAST/DAST.
- Experience with security assessment tools such as Burp Suite and OWASP ZAP.
- Ability to manually exploit security flaws on web applications and APIs.
- Advanced level of English.
5. Application Security Engineer (Cloud SaaS Security)
A key member of the security team, the Application Security Engineer builds automated security controls and guides product teams in addressing vulnerabilities across Playvox's SaaS platform. Collaborating across architecture, operations, and engineering, the Application Security Engineer monitors production security logs and strengthens incident response playbooks.
Functions
- Develop security training and guidance to internal engineering teams.
- Guide, advise and assist product development teams in the area of application security.
- Participate in initiatives to address security vulnerabilities.
- Assess security tools and integrate tools as needed.
- Define and implement guidelines for automated security controls, including container security, static code analysis and open source license checks.
- Conduct risk evaluation of GitLab product features.
- Define and implement measures to protect Playvox's intellectual property.
- Research and collaborate with Architecture and Operations teams to define guides and solutions to enhance security posture.
- Monitor security logs of production environments and propose and execute initiatives to improve security visibility.
- Build and test incident response playbooks and support other privacy and security initiatives.
Experience & Qualifications
- Experience in security operations, software development, or security automation.
- Coding knowledge in Python and NodeJS, with professional development experience as a plus.
- Knowledge of web-based applications, protocols, security controls, and common security libraries and web application security flaws.
- Experience on cloud computing platforms.
- AWS and/or GCP experience is a plus.
- Knowledge of pipeline automation and GitLab.
- Experience with infrastructure as code and policies as code is a plus.
6. Application Security Engineer (CI/CD Security Automation)
Scalable product security depends on the Application Security Engineer, who partners with development teams to mitigate vulnerabilities and implement automated security solutions across delivery pipelines. Serving as a bridge between security and engineering, the Application Security Engineer translates security objectives into GitLab and GitHub CI/CD pipeline tasks that keep applications secure.
Accountabilities
- Work closely with development teams to mitigate security vulnerabilities.
- Select, design and implement security processes and tools for security testing of developed applications.
- Implement automated security solutions for delivery processes.
- Run monitoring and participate in vulnerability scans.
- Stay up to date on security technology trends and best practices.
Technical Qualifications
- Application security background with a focus on scalable approaches to product security.
- Experience with threat modeling, security design reviews, and security architecture.
- Experience partnering with cross-functional teams to deliver widely impactful security initiatives.
- Experience with GitLab/GitHub CI/CD and YAML pipelines.
- Familiarity with modern web application development processes.
- Ability to read source code and identify vulnerabilities in one or more programming languages (Golang, Java, Python).
- Knowledge of at least one language sufficient to automate routine tasks.
- Participation in bug bounty programs, HTB, or CTF with the ability to confirm participation via links to results.
- Excellent written and verbal communication skills with the ability to translate security objectives into engineering team tasks.
7. Application Security Engineer (DevSecOps)
As the Application Security Engineer, this role applies DevSecOps principles to implement authentication and authorization solutions and reduce risk across the platform. The development team relies on this work to receive timely threat modeling, guided penetration tests, and a well-maintained vulnerability management program.
Activities
- Apply and implement DevSecOps principles and best practices.
- Work on the implementation of an authentication and authorization solution.
- Perform threat modeling and security risk assessments.
- Provide security guidance to software engineers.
- Conduct penetration tests with the team.
- Develop and support the development of security tools and controls.
- Design and maintain a vulnerability management program.
Position Requirements
- Pursuing a Bachelor's Degree in Information Technology, Information Systems Security, Cybersecurity, or a related field.
- Knowledge of security principles related to authentication, access control, cryptography, and secret management.
- Experience with a cloud platform and container environments.
- Experience in development using Python, Bash, or Golang.
- Understanding of source code control and APIs.
- Passion for the work and a desire to do it well.
- Ability to work closely and communicate effectively with the development team and product stakeholders to ensure project outcomes adhere to agreed quality standards.
8. Senior Application Security Engineer (Manufacturing & R&D Security)
Senior Application Security Engineer leads design reviews, threat modeling and penetration testing in partnership with product, R&D, Quality, Manufacturing and Regulatory teams to mature secure development practices. The work directly supports the organization's evolving security needs by building security champions, integrating SAST, SCA and DAST tooling and delivering targeted security training.
Operational Focus
- Partner with the product and software engineering teams to assist with design reviews, code reviews, threat modelling, penetration testing, security issues remediation and other security-related activities.
- Support developers of business units in their SDLC and provide guidance regarding mitigations to emerging threats and remediation planning.
- Build security champions within product and R&D teams and help mature their secure software development practices.
- Develop and leverage partnerships effectively with cross-functional teams including R&D Quality, Manufacturing and Regulatory to achieve business results.
- Develop security training and deliver to internal development teams and other stakeholders.
- Lead the evaluation of new security tools and technologies and build internal tools as needed.
- Lead security tools integration such as SAST, SCA and DAST tools.
- Support the changing security needs of the organization as required.
Knowledge Skills & Abilities
- Bachelor of Science in Computer Engineering, Computer Science, Software Engineering, Electrical Engineering, Computer Systems Engineering or a related discipline.
- Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE) or Offensive Security Web Expert (OSWE) certification preferred but not required.
- 5 years of experience in systems security administration, control and/or software engineering, with 3 years of experience in product security testing or security consultancy.
- Knowledge of industry standards and frameworks such as OWASP, NIST, SANS, and MITRE ATT&CK.
- Demonstrated experience implementing effective Secure SDLC frameworks.
- Development experience in C#, C++, or Java preferred.
- Cloud security experience preferred.
- Strong interpersonal, communication, technical writing and presentation skills.
- Demonstrated problem-solving and leadership skills.
- Demonstrated experience working with a multi-disciplinary, global team with excellent influencing skills and ability to gain buy-in for initiatives.
- Travel up to 10% domestic and international
9. Application Security Engineer (Fintech Investment Platforms)
The Application Security Engineer develops scalable defense-in-depth solutions that protect Stash's web and mobile investment platform from attack. Reporting within the engineering organization, the Application Security Engineer partners with developers through code review and the bug bounty program to balance security risk against product advancement.
Key Deliverables
- Identify areas of security vulnerabilities and drive cleverly engineered, scalable solutions that improve defense-in-depth.
- Help other engineers design more secure systems via design input and code review.
- Enhance the SDLC to incorporate security development best practices, testing and auditing.
- Perform penetration tests, vulnerability scans and risk assessments on microservices and infrastructure.
- Balance security risk and product advancement by clearly communicating risks to both technical and non-technical audiences.
- Serve as a security subject matter expert and respond to internal security engineering questions and requests.
- Assist with managing the bug bounty program and external testing engagements.
Professional Experience
- Bachelor's degree in Computer Science or a related discipline, or equivalent experience.
- 5+ years of proven work experience as a security engineer or software engineer with security experience.
- 2+ years of experience working with cloud-based solutions.
- Strong understanding of secure application development practices.
- Experience conducting security assessments.
- Software development experience in Ruby on Rails, Scala, Java, or Go.
- Strong scripting experience in Python and/or Bash.
- Exceptional written and oral presentation skills.
10. Application Security Engineer (Streaming Media Security)
Embedded within Hulu's application security program, the Application Security Engineer refines code scanning tools and secure libraries to support the company's streaming platform. Working closely with developers, the Application Security Engineer provides remediation support, performs penetration testing across applications and networks, and contributes to incident response.
Areas of Ownership
- Engage with developers to provide remediation support.
- Contribute to code scanning tools and services.
- Assist with code reviews and develop secure libraries.
- Perform penetration testing across applications, lateral movement, and the network.
- Participate in incident response and analysis.
Education & Experience
- Bachelor's degree in Computer Science or equivalent experience in a related field.
- Security+ or other industry certifications.
- Experience contributing to Application Security program maturity.
- 1+ years of direct application security experience.
- 2+ years of development experience with Python, Java, JavaScript (Node/React) and/or Go.
- Knowledge of CI/CD and experience working with AWS or other cloud environments.
- Experience with WAF.
- Understanding of security risk to the business beyond the OWASP Top 10.
- Experience managing or participating in bug bounty programs; practiced threat modeling of applications.
- Contributed to open source projects.
11. Application Security Engineer (Public Sector IT Security)
Reporting to the client's IT security leadership, the Application Security Engineer oversees the application security life cycle for a Washington, DC-based government contract. Partnering with developers, the Application Security Engineer leads threat modeling efforts and refines security checkpoints to keep internal policies aligned with OWASP standards.
Role Responsibilities
- Review application security life cycle.
- Lead threat modeling efforts.
- Assist with data migrations.
- Work with developers to refine security checkpoints within the SDLC.
- Ensure internal policies align with OWASP standards.
Background & Experience
- At least 7 years of experience as an application developer with a security background.
- Experience with threat modeling and web application security assessments.
- Ability to perform threat modeling and data migrations for large application projects.
- Knowledge of security tools such as AppScan, Fortify, Veracode, and SonaType.
- Experience outlining security requirements and verifying remediation.
- Experience within an Agile environment.
12. Application Security Engineer (Hybrid Cloud Security)
Sitting at the intersection of cloud and on-premises infrastructure, the Application Security Engineer advances security standards for engineering platforms running on Azure and AWS, as well as legacy systems. Operating across production and non-production environments, the Application Security Engineer engages customers to understand business requirements and implements corporate security standards alongside the global IT Security team.
Job Functions
- Ensure security standards for engineering platforms including state-of-the-art cloud applications (Azure, AWS) and on-premises systems, and support the operation of those platforms.
- Provide security support for production and non-production environments in the critical engineering service portfolio.
- Engage with customers to understand business requirements and determine the appropriate security level.
- Cooperate with the global IT Security team and implement corporate security standards.
- Actively participate in designing, developing, and delivering scalable, secure, and automated services.
Minimum Qualifications
- At least a Bachelor's Degree in Information Systems, Computer Science, Electronics or a similar field.
- Minimum 2 years of experience in IT security infrastructure.
- Good English language skills.
- Knowledge of cloud environments is considered an additional advantage.
- Analytical thinking and a proactive approach to problem-solving.
- Strong communication skills.
13. Application Security Engineer (Manufacturing Security Architecture)
A key member of the security architecture team, the Application Security Engineer formalizes application security development lifecycle principles across all stages of design. Collaborating across network, cloud, identity and middleware security domains, the Application Security Engineer designs controls and test plans that strengthen the security program for the automotive and manufacturing industry.
What You'll Do
- Formalize and document the application security development lifecycle principles across all stages of application design.
- Create, design and implement test plans for testing the security of systems, processes and their environment.
- Enforce a culture of code reviews and testing as an integral part of design.
- Design, develop and implement controls into applications and supporting systems.
- Develop and continuously improve the application security program.
- Provide guidance for implementation of segregation of duties requirements throughout the development lifecycle.
Required Qualifications
- Bachelor's degree or equivalent industry experience; post-graduate degree a plus.
- 3+ years of experience in network security architecture, platform security architecture, cloud, application and middleware security architecture, and identity access management architecture.
- Experience with assessment, development, implementation, optimization and documentation of security technologies and processes including secure software development, data protection, cryptography, key management, and IAM.
- Understanding of OWASP methodology and secure system development methodologies.
- Automobile and/or manufacturing industry experience is a plus.
- Strong organizational and time management skills.
- Ability to work well in a demanding, dynamic environment and meet overall objectives.
- Excellent interpersonal skills with the ability to communicate effectively verbally and in writing with both technical and non-technical personnel at all levels.
14. Web Application Security Engineer (Secure SDLC & Code Analysis)
Vulnerability remediation across the software development life cycle depends on the Web Application Security Engineer, who oversees architecture reviews, white box testing and secure coding best practices. Serving as a hands-on security partner to development and DevOps teams, the Web Application Security Engineer tracks vulnerabilities and delivers secure code training across multiple platforms and languages.
Day-to-Day Responsibilities
- Participate in architecture and design reviews with senior development and DevOps staff.
- Define and design security code analysis tools and frameworks.
- Conduct white box security testing to assess and validate application security.
- Define, maintain and enforce application security best practices.
- Monitor and track progress of found vulnerabilities and maintain the history.
- Explain and demonstrate vulnerabilities to application and system owners, and provide recommendations for mitigation.
- Issue reports on assigned application and system scans.
- Perform secure code development training to developers, QA personnel and relevant staff.
- Evangelize security across all teams and influence change where needed.
Qualifications & Experience
- Bachelor's degree in an Information Technology-related field or equivalent experience.
- 3+ years of experience in web or mobile application security.
- Expert knowledge of information security principles, web applications, and familiarity with malicious code and common hacker techniques; thorough understanding of SDLC, BSIMM, and OWASP SAMM.
- Knowledge of cloud-based infrastructure and security needs.
- Knowledge of AWS architecture, services, and security, as well as microservices architectures.
- Experience with HTML, JavaScript, and a solid understanding of HTTP protocol.
- Basic knowledge of SQL and experience with one or more server-side technologies such as ASP.NET or .NET Core.
- Experience implementing security practices in CI/CD environments.
- Experience with common SDLC tools including static and dynamic code analysis, open source management and threat modeling.
- Experience coordinating penetration testing activities, conducting secure code development training, and interacting with security vendors and customers.
- Knowledge of cryptographic tools or security APIs and experience using Agile and Scaled Agile Framework (SAFe) is a plus.
- Excellent problem-solving and analytical skills and outstanding oral and written communication skills.
- Self-motivated with the ability to work under minimal supervision, with an energetic and positive attitude.
15. Application Security Engineer (Enterprise Application Security)
As the Application Security Engineer, this role develops secure design standards and threat modeling practices that protect MetLife's applications and customer data. MetLife's IT Risk & Security organization relies on this work to evaluate external web application security posture, investigate critical incidents and present remediation solutions to global stakeholders.
Scope of Work
- Interface with security champions in application development teams and offer consultative advice on secure design and remediation activities.
- Participate in application security design and architecture review, secure coding standards, threat modeling and risk mitigation analysis.
- Develop and maintain enterprise security libraries, components and best practices, and perform application security risk evaluation; partner with key stakeholders to enhance the application security CI/CD pipeline and continually assess security posture for improvement.
- Present technical solutions to IT Risk and Security leadership, global application development teams and regional CIOs.
- Conduct continuous evaluation of external web application security posture with a focus on reducing the attack surface, remediating potential weaknesses and developing effective vulnerability management strategies.
- Investigate critical cybersecurity incidents, conduct industry research and forensic analysis.
- Support evaluation of new security technologies addressing current and anticipated future needs based on emerging threats and industry trends.
Skills & Qualifications
- 5+ years of combined Application Development and Security Engineering or Security Architecture experience.
- Professional certifications such as GWEB, OSCP, or CSSLP.
- Developer background with strong application security acumen.
- Hands-on experience with security design reviews and threat modeling.
- Strong understanding of OWASP Top-10, CWE/SANS Top-25, BSIMM and SAMM.
- Experience with SDLC methodologies, common industry practices, and supporting technologies.
- Experience managing several testing efforts concurrently.
- Strong communication and presentation skills to large global audiences.
16. Application Security Engineer (Media Streaming Security)
Application Security Engineer develops the application security program from the ground up for a Hollywood-based streaming team preparing to launch its apps, integrating AppSec tools into the CI/CD toolchain. Success in the position means catching security defects before launch by partnering closely with software and site reliability engineers to evangelize secure development practices.
Work Activities
- Research, prototype and implement a range of AppSec tools into the CI/CD toolchain.
- Work closely with SWE and SRE to resolve security issues found.
- Evangelize secure software development and release across the engineering team.
- Work with security tool vendors to continuously improve their products for use.
- Participate in design and code reviews.
- Drive the continuous improvement of the secure software development lifecycle.
- Make recommendations for secure development training needs for the engineering organization.
- Participate in the assessment and execution of production security defects as part of the incident response process.
Requirements
- BS in Computer Science or Computer Engineering.
- Certifications or experience with compliance frameworks such as GDPR, ISO27001, or PCI preferred.
- Participated in the Bug Bounty community or events preferred.
- 5+ years of software development experience with at least one scripting language and one compiled language, with 3+ years in product security including cloud-deployed APIs and mobile applications on iOS and Android.
- Experience identifying vulnerabilities in mobile apps and services delivered over HTTP or TLS.
- Knowledge of OWASP Top 10 and CWE Top 25.
- Experience securing apps deployed to public cloud providers.
- Experience with Go, Swift, Kotlin and Java.
- Experience with multiple public cloud providers, IAST tools, Kubernetes and Istio.
- Experience with multiple AppSec tools including SAST/DAST.
- Track record of improving security posture of engineering teams.
- Ability to articulate security risks and mitigation.
- Excellent communication skills.
- Experience in the Streaming Media Industry is a plus.
17. Application Security Engineer (Industrial Control Systems Security)
The Application Security Engineer guides developers and management through threat model analysis and code reviews to address security flaws in custom hardware and software. Reporting across multiple international divisions, the Application Security Engineer coordinates with internal security groups and third parties to maintain compliance with IEC 62443 standards.
Performance Expectations
- Analyze UML diagrams and DFDs/Threat Models for security flaws and detail specific recommendations in software and system setup to address them.
- Mentor developers on security topics and coding.
- Develop and deliver trainings to developers and management on security topics.
- Analyze requirements and perform code reviews for security flaws.
- Establish direction for security requirements in custom hardware and software.
- Collaborate with other internal security groups across multiple divisions, at different levels and in multiple international locations, as well as with third parties.
- Continuously improve security processes via observation and measurement of project performance and make updates to improve accuracy, reduce overhead and maintain compliance with IEC 62443 3-3 and 4-1 standards.
- Participate in audits for standards compliance.
Experience & Qualifications
- Bachelor's degree in Computer Science, Computer Engineering or a related engineering field with 5+ years of relevant experience, or a Master's degree in a similar field with 4+ years of relevant experience.
- Certifications such as CISSP, CEH, GSSP, GSEC, CSSLP, GIAC, or ISA Cybersecurity are valued.
- Hands-on professional coding experience, C/C++ or C# preferred.
- Experience in web or mobile app development and experience working with geographically distributed teams in a large developer organization.
- Experience performing application-level threat modeling and code review.
- Understanding of SDL/secure software development lifecycle practices and practical experience in software and security design principles.
- Experience with PKI/Certificates and cryptography.
- Current knowledge of malware trends, cybersecurity issues and trends specific to control systems.
- Experience in ICS, Automotive or other OT network technologies is a plus.
- Excellent interpersonal, written and verbal communication skills with the ability to clearly communicate technical information to a wide range of audiences.
- Detail-oriented, organized, flexible and proactive, and willing to accept feedback and implement changes quickly.
- Comfortable working in an Agile development environment.
18. Application Security Engineer (DevSecOps Risk Analytics)
Embedded within the Business Unit Security organization, the Application Security Engineer executes risk assessments of automated scan results and penetration test findings across the software portfolio. Working closely with development teams throughout the engineering lifecycle, the Application Security Engineer coordinates DevSecOps pipeline adoption, delivers secure coding training and produces cybersecurity analytics that drive data-driven decisions.
Core Responsibilities
- Assist software development teams with understanding and remediating automated scan results of software source code as well as penetration testing.
- Assist Business Unit Security Officers in the risk assessment process by assessing application risks and providing security recommendations for improved application design or coding.
- Work with developers throughout the software engineering lifecycle to ensure compliance with secure software development best practices.
- Drive adoption of GWAM segment code scanning capabilities and the DevSecOps pipeline.
- Develop and deliver cybersecurity analytics to allow for data-driven decisions and deliver regular reporting on initiatives, program progress and key areas of risk.
- Develop or acquire targeted training for development teams in secure coding and other security practices.
- Identify, propose and acquire toolsets to assist with the security assessment process in Agile and DevOps environments.
Technical Qualifications
- Minimum of 3-5 years of software development experience and 3+ years of work experience in application security.
- Security-related certifications such as CISSP, CSSLP, or SANS GIAC are a plus.
- Development and/or security-related experience with web applications, web services and mobile applications, including at least one of Java, C, C++, .NET or C#, and two of HTML, JavaScript, PHP, Perl, SQL, Ruby or COBOL.
- Experience working on or closely with development teams in the SDLC using DevOps, Agile and/or waterfall methodologies.
- Ability to understand and interpret vulnerabilities and communicate business impact and remediation actions to management.
- Ability to rapidly learn new technologies and business functions.
- Results-oriented, high energy and self-motivated.
- Excellent leadership, teamwork and client service skills.
- Excellent analytical, presentation and communication skills for both technical and non-technical audiences.
19. Staff Application Security Engineer (Messaging Platform Security)
Reporting to Yalo's security leadership, the Staff Application Security Engineer coordinates secure code reviews and design reviews across proprietary, partner, and third-party services. Partnering with engineering, product design and R&D teams, the Staff Application Security Engineer builds a catalog of technical security requirements and mentors junior staff to elevate AppSec expertise across the organization.
Key Responsibilities
- Lead security design reviews in partnership with Yalo engineering, product design and research and development teams.
- Perform secure code review of Yalo proprietary services, partner services and third-party application services including review of newly released product features.
- Develop and maintain a catalog of technical security requirements for Yalo's Software Development and release lifecycle (OWASP/API/Mobile top 10, CWE/SANS top 25).
- Select and implement a framework for conducting web application security testing and validation, such as OWASP ASVS.
- Design security tooling such as SAST/DAST code scanning for the continuous identification of system/software vulnerabilities and common misconfigurations.
- Act as a security team delegate in routine product architecture reviews to define minimum security requirements and secure design principles needed to mitigate risk without compromising customer experience.
- Conduct security research to identify emerging threats and vulnerabilities.
- Conduct routine training sessions to educate software engineering teams on how to identify and prevent commonly exploited weaknesses such as XSS, IDOR, RCE and CSRF.
- Mentor junior team members and provide AppSec knowledge sharing, coaching and training to elevate security expertise of development teams.
Position Requirements
- Bachelor's degree in Computer Science, Information Systems, or related field, or equivalent work experience.
- Certifications desirable but not required: Certified Ethical Hacker (CEH), GIAC Penetration Tester (GPEN), or Offensive Security Certified Professional (OSCP).
- 8+ years of experience as an application security engineer or a mix of security engineering and software development.
- Deep understanding of Security in the Software Development Life Cycle.
- Familiar with security frameworks and standards including SOC 2, ISO 27001, and NIST CSF.
- Deep expertise in web application security scanning and penetration testing tools such as BurpSuite, Metasploit, Qualys, CANVAS, Code Pulse, Nettacker, ZAP and OWTF.
- Strong knowledge of networking and internet protocols (TCP/IP, DNS, SMTP, HTTP) and web security protocols (SSL/TLS, REST, SAML, OAuth, OIDC).
- Work experience, open-source code, or coursework in Java, C#, Python/Django, Ruby/Ruby on Rails, Javascript/Typescript or Golang.
- Excellent time-management, interpersonal and communication skills.
- A critical thinker, team player with a strong sense of ownership.
20. Application Security Engineer (Application Security Testing)
Sitting at the intersection of static and dynamic code analysis, the Application Security Engineer creates test scenarios for audits and identifies defects in Java, J2EE, iOS, and Android applications using Fortify SCA. Operating across Burp Suite, OWASP ZAP and manual penetration testing, the Application Security Engineer guides developers on remediation, configures SAST and DAST rules and automates the audit process.
Core Functions
- Develop security requirements at early stages of the product life cycle.
- Prepare test scenarios for audits based on business requirements, technical documentation and a list of affected systems.
- Identify defects and vulnerabilities in new and existing software products using static code analysis (Java and J2EE, iOS and Android using HPE-MicroFocus Fortify SCA), dynamic code analysis and scanning using Burp Suite and OWASP ZAP, and manual penetration testing.
- Develop recommendations for software developers for addressing identified security flaws.
- Optimize and automate the audit process.
- Configure SAST and DAST tools, including creation of new rules.
Knowledge, Skills & Abilities
- Higher education in IT; relevant certifications including OSCP, CEH or OSWE.
- More than 2 years of working experience as an Application Security Engineer or in a similar role such as penetration testing.
- Strong knowledge of basic information security concepts.
- Strong knowledge of defect types (CWE/SANS Top 25), OWASP Top 10 vulnerabilities in web and mobile applications, and ways of detecting and mitigating them.
- Strong knowledge of Java and scripting languages such as Python, PowerShell, and Bash.
- Experience in web or mobile app development.
- Experience with international information security standards, including ISO 27XXX, PCI DSS and GDPR.
- Knowledge of security standards and frameworks including SAML, OAuth, WS-Security, X.509, JAAS, SSL/TLS and OpenIAM.
- Understanding of the architecture and working principles of modern web applications.
- Experience in CTF or bug bounty programs.
21. Application Security Engineer (Cloud-Native Application Security)
A key member of the security team, the Application Security Engineer executes threat modeling, architecture review and penetration testing across web, native, cloud-based and infrastructure environments. Collaborating across engineering and operations, the Application Security Engineer reviews source code for vulnerabilities and integrates mitigation controls into CI/CD processes.
Primary Duties
- Participate in threat modeling, application architecture review, security code review, security assessment and penetration testing across web, native, cloud-based and infrastructure environments.
- Conduct security architecture reviews of the application stack including applications built on cloud and emerging technologies.
- Review source code for potential security issues and write security test cases to check for vulnerabilities or broken/missing security controls.
- Provide specific risk assessment and remediation guidelines for developers and business owners.
- Research the latest security best practices, trends, threats, vulnerabilities and technology frameworks.
- Perform in-depth security review of new features, including identifying vulnerabilities (OWASP Top 10, NVD, RCE), reviewing code in Java or C++, and verifying security posture through penetration testing using tools like Kali Linux, Burp Suite, Checkmarx and WebInspect.
- Partner with engineering and operations teams to integrate mitigation controls into CI/CD processes and develop a security baseline for cloud, container and application environments.
- Implement security architecture, methods and controls required to meet compliance and audit requirements including NIST controls and SOC2.
Professional Experience
- Bachelor's degree in Computer Science, Information Security, Cyber Security, or equivalent.
- 3+ years of experience in information security, with 2+ years of experience within software development.
- Firm understanding of enterprise-class application architectures that are highly scalable and reliable.
- Experience with security architecture and design reviews.
- Experience with multiple languages such as Java, Go, and Python.
- Understanding of how to detect and remedy related security issues such as OWASP Top 10.
- Excellent written and oral communication skills.
- Ability to articulate to both technical and non-technical audiences.
- Able to work independently and collaboratively with development teams.
22. Application Security Engineer (Logistics & Supply Chain Security)
Application security maturity at CH Robinson depends on the Application Security Engineer, who elevates DevSecOps standards and partners with engineering teams to deliver secure products and services. Serving as a consultative security expert throughout the SDLC, the Application Security Engineer performs threat modeling, architecture reviews and application testing across cloud and container environments while maintaining 24x7 on-call support.
Duties
- Support an environment and culture that favors context over control by partnering with and influencing engineers to deliver secure products and services.
- Serve as a security subject matter expert in a consultative capacity with development teams through the software engineering process, including security reviews and remediation at various stages of the SDLC.
- Create DevSecOps standard operating procedures and best practices; identify and create DevSecOps KPIs aligned to program visibility and performance.
- Build partnerships with other engineering teams and coordinate with them to streamline code deployment processes.
- Perform threat modeling, architecture reviews and application testing, ensuring critical vulnerabilities are identified, communicated and mitigated.
- Identify and implement security gating strategies within the CI/CD pipeline in partnership with engineering.
- Research and recommend changes to procedures and systems to enhance application and data security; implement tools to test and enforce application security policy as part of the DevSecOps pipeline.
- Develop and deliver security training to software engineers and maintain awareness of current security risks and emerging technologies.
- Automate security processes to reduce manual work; coordinate and manage information security projects.
- Participate in 24x7 on-call support rotation; deliver best-in-class customer service to both internal and external customers.
Education & Experience
- Bachelor's degree in Computer Science or related field.
- Preferred certifications or experience with Hashicorp Vault, Consul, Terraform, Azure AD, OAuth 2.0, OpenID Connect, and Okta.
- Knowledge of mobile application and device security (iOS/Android) is a plus.
- 5+ years of experience in web application security, cloud security, infrastructure security, penetration testing, secure software development, or security tools development, with a total of 7+ years of IT experience.
- Deep understanding of web application security.
- Solid grounding in information security principles.
- Experience with encryption technologies and methods.
- Experience using web application vulnerability scanning tools (Burp Suite Pro, ZAP Proxy, Arachni) and with manual web application testing.
- Experience securing Linux server and container orchestration environments (Kubernetes) and cloud IaaS/PaaS environments (Azure, Google Cloud, AWS).
- Experience integrating security into DevOps pipelines including static analysis, dependency scanning and dynamic testing.
- Experience with C#, JavaScript, Node.js with strong scripting skills in Python, PowerShell and shell scripts.
- Excellent facilitation, communication and influencing skills.
- Proactive, accountable and solutions-oriented; demonstrated project management ability across complex, multi-geography projects.
- Previous experience with vendor management, coordinating vendor activities, and utilizing measurements and metrics to manage support activities.
23. Application Security Engineer (Enterprise Application Security Testing)
As the Application Security Engineer, this role evaluates applications for security flaws through fuzzing, access bypass testing, business logic abuse and fault injection using static and dynamic analysis tools. The security team relies on this work to validate bug bounty submissions, maintain threat models and ensure applications meet enterprise SSDLC standards across Java, TypeScript and PHP codebases.
Functions
- Evaluate applications for security flaws by performing fuzzing, access/authorization bypass, business logic abuse and intentional fault injection.
- Use Static and Dynamic Analysis tools to support broad testing and vulnerability discovery.
- Review application architectures and implementation details for design flaws, incorrect security implementation and missing security controls.
- Work with other security team members to research and test for complex security issues.
- Consult with Software Engineers, Infrastructure Architects and Security Architects to correct application, architectural or environment flaws.
- Validate external security researcher bug bounty submissions.
- Work closely with service providers and external security support resources to schedule, track and manage outsourced security testing efforts.
- Create and/or maintain threat models to communicate risks to engineers, project managers and other technical personnel.
- Ensure applications are built according to enterprise security standards.
- Work with development teams to review application source code for security and operational risks.
- Perform manual code reviews of applications that are not compatible with automated SAST tools.
- Provide detailed security documentation to developers, software engineers and technical personnel when necessary.
- Provide guidance and recommendations to software architects and engineers on how to correct code-related security flaws.
- Participate in peer reviews of security assessments created by other team members.
- Manage tickets and SLAs associated with security testing efforts.
- Maintain the enterprise SSDLC standard.
Background & Experience
- Bachelor's degree in Computer Science or related field, or equivalent experience/certification; Master's degree in Computer Science or Software Engineering preferred.
- Current information security and/or software development certification preferred, including CSSLP, PSEM, or CSDP.
- 5+ years of experience in Information Technology in a frontend or backend software development role with testing/QA experience, including 2+ years as a full stack software developer.
- 2-5 years of experience with HTML, HTTP, JSON and/or XML, at least one compiled programming language, at least one interpreted programming language, and 1+ years with web service paradigms (REST, SOAP).
- Familiar with OWASP flagship projects, defensive programming, and test-driven development.
- Basic understanding of microservice architecture, software cohesion and coupling.
- Ability to fluently write, read, debug, and test applications in Java, TypeScript/JavaScript, and PHP.
- Comfortable learning new programming languages as needed for code reviews.
- Expert-level knowledge of static and dynamic analysis tools and methods.
- Advanced knowledge of software engineering concepts including GOF design patterns, SOLID principles, and Agile methodologies.
- Strong understanding of SAML, OAuth, OIDC, and common cryptographic algorithms and libraries.
- Basic understanding of network security, cryptography, and common application exploits (XSS, SQL Injection, etc.).
- Comfortable with Git, ZAP or BurpSuite, Postman, SoapUI, Jenkins, Artifactory, SonarQube, FindBugs, Docker, JIRA and Confluence.
- Experience with mobile application development on Android or iOS is a plus.
- Willing to write tools as necessary to perform day-to-day duties.
Editorial Process and Content Quality
This content is developed by the Lamwork Editorial Team using structured analysis of real-world job data, skill requirements, and hiring patterns.
Research framework by Lam Nguyen, Founder & Editorial Lead.
Reviewed by Thanh Huyen, Managing Editor.
Learn more about our editorial standards.