APPLICATION SECURITY SPECIALIST JOB DESCRIPTION

A collection of Application Security Specialist job descriptions to help candidates understand role expectations, from entry-level duties to senior programme leadership responsibilities.

Application Security Specialist Job Description Template

1. About the Role

Secure code is only as trustworthy as the process that produced it. An Application Security Specialist owns the practices, toolchains, and assessments that prevent vulnerabilities from reaching production - not by reviewing code after the fact, but by integrating security into every stage of software delivery. This role answers to engineering leadership and operates across development, DevSecOps, and risk functions simultaneously. Meeting OWASP Top 10 benchmarks and maintaining defensible coverage across CI/CD pipelines are the measurable outcomes the organization depends on.

2. Position Summary

As the Application Security Specialist, you will own the application security testing program, from threat modeling and static analysis through penetration testing and remediation guidance, ensuring that product teams can ship software without introducing exploitable risk. You will partner with engineering squads, security operations, and risk management, reporting to the Secure Software Development Lead or equivalent security leadership function.

3. Why Join Us

Career Impact: Hands-on ownership of SAST, DAST, and threat modeling programs at enterprise scale builds the kind of verified AppSec depth that CISSP and OSCP pathways reward and that senior engineering organizations actively recruit for.

Business Impact: Vulnerabilities caught before production deployment directly reduce breach exposure and the remediation costs that follow a CI/CD pipeline compromise - outcomes software product teams cannot achieve without a dedicated specialist owning this function.

Growth Opportunity: Experience running a secure SDLC program positions you for progression into AppSec Lead, Security Architect, or DevSecOps Engineering Manager roles as organizations expand their security-by-design commitments.

4. Key Responsibilities

  • Design and execute application security testing programs, including static, dynamic, and interactive analysis across web applications and APIs.
  • Review source code in multiple programming languages to identify exploitable vulnerabilities and provide actionable remediation guidance.
  • Integrate security controls and automated testing gates into CI/CD pipelines to enforce secure development standards at the delivery layer.
  • Conduct threat modeling sessions with product and engineering teams at project inception and during significant architectural changes.
  • Monitor and triage vulnerability findings from penetration testing programs, internal scans, and bug bounty submissions, prioritizing by risk severity.
  • Develop and deliver secure coding training and awareness programs for developers, architects, and engineering leads.
  • Collaborate with risk management and compliance functions to document control effectiveness and support audit and assessment activities.
  • Evaluate and adopt application security tooling to improve detection coverage while minimizing friction in the development workflow.

5. Required Qualifications

  • Bachelor's degree in computer science, information security, software engineering, or equivalent work experience.
  • 3 or more years of application security experience, with demonstrated ownership of vulnerability assessment and remediation programs.
  • Working knowledge of OWASP Top 10, CWE Top 25, and common web and API attack vectors, including injection, broken authentication, and data exposure.
  • Experience performing or coordinating penetration testing of web applications and APIs, including both manual and automated approaches.
  • Understanding of CI/CD pipeline security practices and the integration of automated security testing into software delivery workflows.
  • Familiarity with cloud infrastructure security concepts across at least one major provider, including access controls, network segmentation, and container environments.
  • Strong written and verbal communication skills, with ability to translate technical findings into business risk language for non-technical stakeholders.

6. Preferred Qualifications

  • Active certification in application security or penetration testing, such as CISSP, OSCP, CEH, or a GIAC credential in the web or application security domain.
  • Hands-on software development or scripting experience in at least one language, enabling independent code review without developer support.
  • Experience operationalizing DevSecOps practices including Infrastructure as Code security review and shift-left testing strategies.
  • Prior exposure to GRC platform configuration or security compliance program management in an enterprise environment.

7. Success Metrics & Environment

  • Percentage of active CI/CD pipelines covered by automated security scanning gates, tracked per quarter.
  • Mean time to remediation for critical and high-severity findings identified through SAST and DAST scans.
  • False-positive rate on static analysis findings, reflecting tool tuning and triage rigor over time.
  • Coverage rate of applications that have completed a documented threat model within the past 12 months.
  • Loper training completion rate across secure coding awareness programs delivered by this role.
  • Typical tools: SAST platforms (commonly Checkmarx or Fortify); DAST platforms (commonly Burp Suite or OWASP ZAP); CI/CD integration (commonly Jenkins or GitLab CI).

8. Compensation & Benefits (US Market Benchmark)

  • Base Salary Range: $95,000 to $140,000 per year depending on seniority and location
  • Bonus: Annual performance bonus of 8% to 15% of base salary
  • Equity: RSU grants common at mid-to-large technology firms; varies by employer
  • Health Benefits: Medical, dental, and vision coverage; employer contribution standard
  • PTO: 15 to 20 days annually plus public holidays; some employers offer unlimited PTO
  • Common Perks: Remote or hybrid flexibility, home office stipend, certification reimbursement, and conference attendance support


Figures are estimates based on general US market benchmarks and may be outdated. Adjust based on location, company size, and seniority level.

9. EEO & Legal

Work authorization in the United States is required for this position. All qualified applicants will be considered for employment without regard to race, color, religion, sex, national origin, age, disability, veteran status, sexual orientation, gender identity, or any other characteristic protected under applicable federal, state, or local law. Reasonable accommodations are available to individuals with disabilities throughout the application and employment process upon request. Employment is contingent on successful completion of a background check.

Application Security Specialist Job Description Examples

1. Application Security Specialist (Cloud Security)

The Application Security Specialist owns the design and implementation of security solutions across cloud platform domains, including automation, access controls, network, and forensics. Working closely with clients and cross-functional teams, this role shapes cloud security strategies from early planning through deployment to strengthen clients' cloud and on-premise environments.


Key Responsibilities

  • Support design and development of security solutions.
  • Manage the development, refresh, and implementation of security policies, standards, guidelines and procedures.
  • Implement and manage security component within the cloud platform around automation, access controls, network, automated compliance, alerting and forensics.
  • Recognize areas for security improvements within the cloud platform's automation, access controls, network, automated compliance, alerting, and forensics.
  • Define and support secure continuous delivery approaches including tooling and automated testing.
  • Perform security operations tasks.
  • Coordinate remediation of pen testing findings or incidents management and deliver cloud transformation projects from the early planning phase through the successful deployment.
  • Assess the current state of clients' cloud infrastructure, develop strategies and roadmap for improvement and advise on further securing the clients' cloud environments and interaction with their on-premise infrastructure.
  • Assist clients in developing strategies to secure their cloud environment by providing high-value consultancy work.


Required Qualifications

  • Minimum of 3 years of experience in Cyber Security and Cyber Attacks.
  • Foundation experience and reasonable understanding of network stack and network protocols.
  • Understanding of network security including Network and Host IDS/IPS, WAF, SIEM, Antimalware, DLP, URL filtering, and other controls.
  • Knowledge of encryption management, secure coding, and Security Testing, including SAST and DAST, as well as Vulnerability management.
  • Understanding of OWASP Top 10 web application security risks.
  • Motivated personality with ability to work in self-organised teams.
  • Strong verbal and written communication skills.
  • Fluent in English.

2. Application Security Specialist (DevSecOps & Application Testing)

Embedded within the GDP DevSecOps team, the Application Security Specialist delivers secure code development practices and application security expertise across engineering teams in Poland. Working closely with the GDP DevSecOps coach, application owners, and engineering staff, this role advances the organization's security posture by consolidating dashboards, deploying tooling, and building a local security guild.


Core Functions

  • Work closely with engineering teams to promote secure code development throughout the development process.
  • Work closely with GDP DevSecOps coach to deploy DevSecOps best practices in Poland.
  • Act as a local security expert and referent for all topics related to application security.
  • Review security tools and application penetration test findings with the application owner and collaborate to eliminate or remediate associated risks.
  • Contribute to selection of DevSecOps security tools and coordinate their deployment per engineering teams.
  • Promote use of security tools through awareness and training sessions to engineering teams.
  • Consolidate and monitor application security dashboard, liaising with relevant teams to put security KPIs at the target in accordance with engineering process.
  • Contribute to development of local security guild and improvement of IDEMIA DevSecOps security practices.
  • Estimate, prioritize, plan, and coordinate security testing activities.


Qualifications & Experience

  • 2+ years of experience in Security Testing of Web/Mobile Applications and APIs.
  • Strong knowledge and working experience of OWASP Top 10.
  • Good knowledge and working experience of security tools such as Fortify, SonarQube, OWASP Dependency Check, and Nexus IQ.
  • Experienced in Agile and/or Kanban methodologies and JIRA for work assignments and defect logging.
  • Experience in cloud security with AWS is a plus.

3. Application Security Specialist (Product Lifecycle Security)

Reporting to security leadership, the Application Security Specialist implements and maintains security technologies across the Secure Product Lifecycle, supporting Adevinta marketplaces in responding to vulnerabilities within their CI/CD environments. Partnering with local SiteOps and Development teams, this role delivers measurable improvements in security awareness and vulnerability program efficiency.


Primary Duties

  • Implement and maintain the required security technologies and tooling of Secure Product Lifecycle.
  • Help Adevinta marketplaces to effectively and efficiently respond to detected issues and vulnerabilities in their CICD.
  • Provide sufficient guidance and explanations for marketplaces to understand detected issues and vulnerabilities at both application and infrastructure levels.
  • Monitor and analyse vulnerabilities reported by penetration testing programs and optimise the program.
  • Customise security technologies to obtain higher efficiency and add the least amount of latency to the product development process.
  • Deep dive into conversations with local teams to raise security awareness and shift security to left in SiteOps and Development teams.


Skills & Qualifications

  • At least 5 years of proven experience with application security.
  • Solid knowledge and experience with infrastructure orchestration and configuration automation.
  • Deep understanding of information security, including threat modeling, SAST, DAST, and dependency checkers.
  • Good understanding of public cloud platforms such as AWS and GCP, and container orchestration solutions.
  • Excellent analytical and problem-solving skills.
  • Strong ownership of leading security programs.
  • Great team player with excellent communication and presentation skills.

4. Senior Application Security Specialist (Enterprise AppSec Programme)

Sitting at the intersection of application security engineering and enterprise risk governance, the Senior Application Security Specialist leads the creation and expansion of the Application Security Programme while embedding security practices into Agile and DevOps processes. Operating across software product teams, endpoint protection tooling, and large group-spanning projects, this role ensures control effectiveness is continuously evidenced and risk is reported at scale.


Duties

  • Create, operate, and expand their Application Security Programme.
  • Work closely with software product teams to consult them on identified vulnerabilities and mitigation plans.
  • Automate recurrent tasks and embed security best practices into Agile and DevOps processes.
  • Document secure coding best practices.
  • Perform hands-on Security Testing as required.
  • Design and engineer CoS endpoint protection tools to enable deployment, configuration, and ongoing lifecycle management across the estate.
  • Lead and deliver large, high-profile projects spanning the group and requiring a broad perspective in solving challenges.
  • Manage and deliver changes to controls as necessary outside of project activity.
  • Develop key indicators, analysis, and artefacts to continually evidence and report control effectiveness and risk for the group.


Requirements

  • Hands-on experience in enterprise-scale implementations of automated Application Security Testing including SAST, SCA, and IAST.
  • Knowledgeable in CI/CD practices and tools, with ability to perform application security testing, report findings, and provide remediation guidance.
  • Deep understanding of common and emerging vulnerabilities across web applications, thick clients, and APIs, with familiarity with OWASP Top 10, SANS Top 25, NIST, and ASVS.
  • Familiarity with Java, Agile, DevOps, DevSecOps, and popular security frameworks including NIST and CIS, with strong skills to author formal documentation.
  • Experience in risk and control management, monitoring, and reporting.
  • Likely holds one or more certifications such as CISSP, OSCP, TOGAF, or GIAC.
  • Excellent verbal and written communication skills with ability to convey technical concepts to non-technical audiences.
  • Strong stakeholder management and critical thinking skills.

5. Application Security Specialist (Vulnerability Assessment & Remediation)

The business impact of a mature application security program depends on the Application Security Specialist, who organizes and performs application security testing initiatives, including internal and external testing, while supporting remediation and secure coding training across the development lifecycle. Based within the IT security function, this role provides metrics, guidance, and expert advice to developers and stakeholders at a global Fortune 500 scale.


Accountabilities

  • Organize, perform, and support application security testing initiatives including internal and external testing.
  • Conduct static and dynamic scans and testing for vulnerabilities, reducing false positives, and perform security checks in a fast-paced environment.
  • Assist with application security remediation and design.
  • Support security efforts through the application development lifecycle.
  • Provide expertise, guidance, and advice related to all application security issues.
  • Facilitate secure coding training and awareness initiatives for developers and appropriate stakeholders.
  • Provide relevant metrics on the performance of the application security program.
  • Assist with incident response duties.


Technical Qualifications

  • Bachelor's degree in information security, computer science, information management systems, software development, or related field required.
  • Appropriate security certifications preferred, particularly in penetration testing and application security domains.
  • 3+ years of experience in application security, preferably in a Fortune 500 global environment.
  • Well-versed in application vulnerabilities and attack vectors, including cross-site scripting, SQL injection, denial of service, OWASP Top vulnerabilities, and data exfiltration.
  • Strong experience with web applications and manual and automated penetration testing, including identifying, verifying, and reducing false positives.
  • Ability to prioritize vulnerabilities by risk and design vulnerability mitigation strategies in a fast-paced digital environment.
  • Strong negotiation skills.

6. Application Security Specialist (ServiceNow GRC Implementation)

As the Application Security Specialist, this role leads efforts to implement ServiceNow GRC for Cybersecurity at Caterpillar, gathering requirements from business and IT teams and developing technical specifications in support of the GRC business transformation team. The Cybersecurity organization relies on this work to continuously improve governance, risk, and compliance processes and functionality across tens of thousands of users globally.


Activities

  • Lead efforts to design and implement ServiceNow GRC solutions in conjunction with implementation partner.
  • Maintain and provide continuous improvement of processes, standards, policies, working methods, and tools.
  • Collaborate with business and IT teams to gather input to support ongoing GRC business objectives.
  • Collaborate effectively with ServiceNow administrators to develop solutions and handle configuration changes and requests.
  • Participate in ongoing production and end user support.
  • Provide regular project updates and report-outs.


Position Requirements

  • Bachelor's degree in Cybersecurity, Information Security, Computer Science, Management Information Systems, Business, or a related field.
  • At least one active certification or willingness to obtain within the first year: CISA, CISM, CISSP, or CRISC, with other certifications such as PMP, SANS/GSEC, ServiceNow GRC, or ITIL a plus.
  • 6+ years of experience in Cybersecurity or Information Technology.
  • Strong working knowledge of the ServiceNow Platform and working knowledge of at least two of the following: Java/J2EE, JavaScript/AJAX, C#/C++/C, Perl, Python, or SQL.
  • Foundational understanding of Governance, Risk and Compliance concepts including Policy, Compliance, and Risk Management, with knowledge of database security procedures and Archer experience.
  • Excellent teamwork, collaboration, analytical, and project management skills with strong attention to detail.
  • Excellent written and verbal communication skills with the ability to present technical information to non-technical audiences.

7. Senior Application Security Specialist (Web & API Penetration Testing)

A key member of the information security team, the Senior Application Security Specialist / Lead shapes the strategy for application security tooling, including SCA, SAST, IAST, and DAST, while performing secure code reviews and penetration testing across diverse technology stacks. Collaborating across development teams and mentoring colleagues, this role embeds application security into every stage of the application delivery lifecycle regardless of delivery methodology.


Functions

  • Ensure application security is an embedded and critical part of the application delivery lifecycle, including during early project stages, regardless of delivery methodology.
  • Perform secure solution design assessments including technical threat modelling.
  • Perform secure code review across a variety of programming languages as well as penetration testing.
  • Contribute to and deliver the strategy for application security tooling including SCA, SAST, IAST, and DAST.
  • Automate security testing and processes as part of CI/CD.
  • Work with the team to identify inherent vulnerabilities and information security risks within systems and applications.
  • Mentor team members in best practice around information security standards.


Experience & Qualifications

  • Strong experience with web application and API security, including whitebox and blackbox penetration testing and secure code reviews.
  • Experience testing a broad range of technology stacks including previously unfamiliar ones while delivering high-quality coverage.
  • Experience with application architecture, secure solution design, and practical application of threat modelling.
  • Experience with cloud application and infrastructure patterns, particularly GCP and AWS, and web application security practices.
  • Hands-on experience with application security tooling including SCA, SAST, IAST, and DAST.
  • Experience with continuous integration tools such as GitLab, Bamboo, or Jenkins, and proven experience with agile practices.
  • Experience actively fostering a strong DevSecOps culture.
  • Understanding of Continuous Delivery, Continuous Integration, and Infrastructure as Code.

8. Application Security Specialist (Federal Security Operations)

Application Security Specialist supports the preparation and implementation of security policies, coordinates access controls, and develops security awareness training within a Federal customer environment. Success in the position means maintaining safe, compliant security operations aligned with US Department of Energy requirements while serving as a professional liaison between management, personnel, and authorized visitors.


Operational Focus

  • Assist with the preparation and implementation of security policies and procedures and coordinate with personnel regarding security incidents.
  • Interact professionally with Federal customers, visitors, management, and peers.
  • Coordinate access controls to allow authorized personnel or visitors access to restricted records, materials, or areas.
  • Assist with planning and development of security awareness training and education for security operations.
  • Recommend and coordinate with Security personnel on implementation of policies and procedures in support of management objectives.
  • Develop and facilitate internal communications including processing and distribution of information through communications services.
  • Conduct activities safely and healthily in accordance with established HS&E requirements, taking action to stop work when unsafe conditions or actions are identified.


Knowledge Skills & Abilities

  • Bachelor's degree in a business-related field or two additional years of direct work experience.
  • One or more years of experience in law enforcement activities, security operations, or equivalent work experience.
  • Practical knowledge of manufacturing or industrial practices and operations.
  • Familiarity with badging and access control.
  • Knowledge of computer applications preferred.
  • Excellent communication, organizational, analytical, and interpersonal skills.
  • Ability to work well independently and as part of a team.

9. Application Security Specialist (Secure Software Advisory)

The Application Security Specialist delivers high-quality software advisory services and remediation guidance while integrating security processes with multiple development teams through SAST and DAST tooling. Reporting directly to the Secure Software Development Lead, this role produces vulnerability MI reports and provides first-line technical support for static code analysis and web application scanning systems.


Key Deliverables

  • Work in collaboration with development teams to ensure full integration with security processes.
  • Support vulnerability assessment and remediation planning.
  • Manage user accounts, housekeeping, and role-based access control for testing tools.
  • Support development teams in conducting security tests using SAST and DAST tools.
  • Provide training and administrative first-line support for static code analysis and web application scanning tools, including systems maintenance, user access, and appliance deployments.
  • Provide technical security expertise for secure configuration of code analysis tools and ensure identified vulnerabilities are remediated or managed via the WTW risk management framework.
  • Produce data to support MI reports on vulnerabilities identified using application security tools.


Professional Experience

  • Sound experience in software development and secure coding practices.
  • Information security qualifications such as SANS GCIA, GCIH, CEH, or CISSP preferable.
  • Practical experience in Windows OS, SQL Server, software installation, patching, remote access, and data backup and recovery.
  • Experience assessing security risk, identifying vulnerabilities, and using Azure DevOps, GitHub, or other IDEs.
  • Practical knowledge of administering and configuring web application scanning tools.
  • Knowledge of OWASP Top 10 vulnerabilities and IP networking protocols.
  • Strong MS Excel skills.
  • Excellent communication and stakeholder management skills.
  • Ability to work under tight timeframes while multitasking effectively.

10. Staff Application Security Specialist (SDLC & Bug Bounty Program)

Reporting to the information security leadership at Lightspeed, the Staff Application Security Specialist develops security tools and libraries, performs code reviews and penetration testing, and manages the maturation of the secure SDLC program across product development teams. Working closely with engineers and various business functions, this role advances the security and compliance program by ensuring SAST, DAST, and pentesting activities occur consistently for retailers.


Areas of Ownership

  • Be a subject matter expert to engineers, empowering them to prevent weaknesses before they are shipped to retailers.
  • Write code to develop security tools and libraries to help integrate security early into the software development lifecycle.
  • Perform code reviews and penetration testing on internal and external applications.
  • Help manage vulnerability reports from external security researchers through the bug bounty program.
  • Threat model existing applications.
  • Drive the secure SDLC program with product development teams ensuring secure coding practices, SAST, DAST, and pentesting activities occur consistently and remediations are prioritized.
  • Assist in incident response when a security event occurs.


Background & Experience

  • Previous software engineering experience in a production environment.
  • Knowledge of cloud infrastructure services such as AWS and GCP.
  • Technical knowledge of security engineering, identity and access management, applied cryptography, and security protocols.
  • Knowledge of and hands-on experience with application threat modeling, web application vulnerabilities, and secure code reviews.
  • Knowledge of defensive security tools and techniques including vulnerability scanning, IPS/IDS, and WAF, as well as encryption concepts and cryptographic key management.
  • Ability to read, write, test, and break code in one or more languages, including scripting and compiled languages such as Python and Go.
  • Ability to act responsibly with sensitive and confidential information.

11. Cyber Application Security Specialist (DevSecOps)

Reporting to the CISO/BISO organization, the Cyber Application Security Specialist refines application security processes by assessing HTTP vulnerabilities, performing code reviews, and providing DevSecOps consultancy across internal and external stakeholders. Partnering with Application Owners and vendor teams, this role oversees the security toolset managed by the Application Security team and contributes metrics to support risk posture assessments.


Role Responsibilities

  • Assess and verify HTTP vulnerabilities reported by SAST/DAST/IAST security capabilities.
  • Act as SME on application security processes and technologies.
  • Perform code reviews and HTTP traffic analysis in support of Cyber Response investigations.
  • Handle administrative tasks related to the security toolset managed by the Application Security team.
  • Raise awareness among Application Owners about application security processes and policies.
  • Support the CISO/BISO organization in achieving security compliance.
  • Monitor vendor and partner performance in addressing application risks.
  • Provide security consultancy around DevSecOps implementation and integration with AppSec capabilities.
  • Represent Application Security perspectives at meetings with internal and external stakeholders and provide metrics to support risk posture assessments.


Education & Experience

  • Bachelor's degree with 5+ years of experience in the Information Technology field.
  • Certifications including CompTIA Security+, CyberSecurity Analyst+, PenTest+, CEH, or GIAC certifications such as GWEB, GWAPT, or GXPN preferred.
  • 4+ years of web/mobile development or Information Security background with hands-on scripting experience in Python or Bash.
  • Knowledge of Cyber Security Operations, SIEM data analysis, and evidence of pen-testing experience via platforms such as Hack the Box.
  • Expertise in securing DevSecOps CI/CD pipelines and exposure to cloud security best practices.
  • General knowledge of regulatory requirements.
  • Experience working across business units and geographical boundaries.
  • Strong verbal, written, and analytical communication skills.

12. Senior Application Security Specialist (Investment Management AppSec)

Sitting at the intersection of application security strategy and enterprise risk management, the Senior Application Security Specialist designs and implements a company-wide security strategy across LGIM while owning application, platform, and Cloud security vulnerability management. Operating across application owners, Group IT Security, and engineering teams, this role strengthens the organization's secure-by-design culture through threat modelling, penetration testing, and tooling evaluation.


Job Functions

  • Serve as the AppSec security expert across LGIM and a point of contact for the security of applications.
  • Collaborate with Group IT Security and key colleagues to define and implement a company-wide security strategy.
  • Collaborate with application owners to develop and maintain an up-to-date inventory of applications used across LGIM.
  • Identify application security requirements and promote secure application development from the offset of a project.
  • Own and perform application, platform, and Cloud security vulnerability management.
  • Coach, educate, and promote a secure-by-design culture.
  • Perform threat modelling for high-risk applications to ensure security requirements meet the evolving threat and business landscape.
  • Schedule and execute application penetration tests for all qualifying applications across LGIM.
  • Evaluate, implement, and communicate new tools and features to improve security posture and support adoption across platform and engineering teams.


Minimum Qualifications

  • Development and scripting experience with ability to create secure engineering pipelines and implement automation.
  • Threat modelling and dynamic testing experience, including identifying security issues through code review and dealing with external pen testers and vulnerability scanning tools.
  • Extensive knowledge of infrastructure components, networks, applications, middleware, and databases for identifying and addressing security threats.
  • Well-versed in designing and developing threat detection and protection solutions at various network and domain services levels.
  • Financial services experience would be a strong advantage.

13. Application Security Specialist (System Development Lifecycle Security)

A key member of the IT Security Group, the Application Security Specialist develops secure coding practices and performs vulnerability assessments across a variety of programming languages and toolsets throughout every stage of the system development lifecycle. Collaborating with developers and other stakeholders, this role enables self-service security capabilities and manages WAF policies to protect the organization's application portfolio.


What You'll Do

  • Ensure security is handled as a built-in and permanent part of the system development lifecycle.
  • Manage compliance requirements including PCI-DSS and GDPR.
  • Train and mentor developers in secure coding techniques and supporting toolsets to enable self-service.
  • Perform secure code reviews across a variety of programming languages.
  • Perform application vulnerability assessments including regular scanning and penetration testing activities.
  • Perform PoC and adoption processes for security toolsets including SAST, DAST, and SCA to improve the organization's application security toolchain.
  • Help manage WAF policies to virtually patch applications where required.


Qualifications & Experience

  • Strong understanding of application security risks including OWASP Top 10 and CWE 25.
  • Knowledge of web and mobile application security.
  • Experience with static code analysis and vulnerability scanning tools.
  • Hands-on software development experience with professional security code review experience in one or more languages such as Golang, Java, C++, PHP, JavaScript, or HTML.
  • Knowledge of software architectural styles including SOA, MVC, and microservices, and various security design approaches.
  • Functional understanding of tooling integrations supporting Agile, CI/CD, and DevSecOps methodologies.
  • Experience with one or more cloud service providers and cloud-ready application development using containers, service mesh, and container orchestration.
  • Experience with agile software development practices, preferably Scrum.

14. Application Security Specialist (Compliance & Contract Review)

The value of a mature information security and compliance program depends on the Application Security Specialist, who provides subject matter expertise across security assessments, contract reviews, penetration testing, and IT risk management in collaboration with Legal, IT, Product, and Development teams at SS&C. Serving as a compliance and privacy specialist, this role monitors security legislation, supports client due diligence, and delivers high-quality written communications on audit and compliance issues.


Day-to-Day Responsibilities

  • Provide specialist security and privacy knowledge inputs to sales and legal for service agreements.
  • Create and deliver high-quality written communications on security, compliance, and audit issues.
  • Work with client organizations to assist with due diligence responses and site inspections.
  • Develop and maintain knowledge of security and compliance attributes of Advent's products.
  • Perform and analyze vulnerability assessments and penetration tests and recommend remediation.
  • Review and enhance security policies covering physical and logical access to systems and management of sensitive data.
  • Perform IT risk assessments, incident investigations, root cause analyses, and forensics.
  • Monitor and report on privacy and security legislation, regulations, and standards.


Skills & Qualifications

  • Certification a plus, including SANS, CISSP, CISM, CRISC, CEH, CompTIA, or IAPP.
  • 5-7 years of professional experience, with 2-5 years involving security, compliance, risk management, and privacy of non-public personal data.
  • Knowledge of common security frameworks, privacy principles, and common computer security issues, including network and application vulnerabilities.
  • Experience with IT security and privacy risk assessments and audits of IT general security controls.
  • Experience in a pre-sales or post-sales compliance and contracts role.
  • Familiarity with phases of the software development lifecycle.
  • Experience with common vulnerability scanning and penetration testing tools and writing in areas such as legal contracts, audit reports, and sales presentations.
  • Ability to document policies and procedures.
  • Strong interpersonal skills with ability to work analytically and manage multiple simultaneous activities.
  • Ability to operate with limited direct supervision.

15. Application Security Specialist (Secure Development Lifecycle Advisory)

As the Application Security Specialist, this role manages a comprehensive secure software development lifecycle program and represents the Application Security team in project meetings, audits, and supplier assessments within a DevSecOps-centered engineering environment. The development and risk management functions rely on this work to maintain rigorous application security documentation, training, and consultancy across all participants in the development process.


Scope of Work

  • Work with the leadership team to ensure a comprehensive secure software development lifecycle program and implementation of a Modern Software Engineering environment with DevSecOps at its core.
  • Represent the Application Security team in face-to-face project meetings as required.
  • Prepare and deliver presentations explaining how application security is implemented and the rationale behind the approach.
  • Provide specialist input into security framework documents including policies, standards, and questionnaires, and maintain application security documentation and best practices.
  • Look after application security training arrangements for all participants of the development process.
  • Provide consultancy and expert input into development activities including second opinions, research, and trade-off analysis.
  • Review all audit plans, audit reports, defect descriptions, and risk assessments produced by the Application Security team.
  • Liaise with the risk management function on residual risks and with suppliers and B2B partners regarding application security assessments of their solutions.
  • Support the selection process for suppliers of software development services and software solutions, assessing their application security capability and Secure Development Lifecycle quality.


Requirements

  • Degree in IT, mathematics, or science.
  • Background in industrial software development including secure application development within structured processes.
  • Deep competence in Application Security and Data Protection.
  • Thorough knowledge of PCI-DSS and pragmatic strategies for meeting application-level requirements.
  • Significant experience with threat modelling in a cloud environment.
  • Knowledge of application security and Secure Software Development Lifecycle practices.
  • Knowledge of information security standards and frameworks such as OWASP, NIST, and SANS.
  • Experience in security reviews for code, design, architecture, and threat modelling.
  • Strong understanding of OO analysis and design, database design.
  • Experience delivering training to both technical and non-technical audiences and mentoring others in Information Security.
  • Proven experience working in an offshored team environment.

Editorial Process and Content Quality

This content is developed by the Lamwork Editorial Team using structured analysis of real-world job data, skill requirements, and hiring patterns.

Research framework by Lam Nguyen, Founder & Editorial Lead.

Reviewed by Thanh Huyen, Managing Editor.

Learn more about our editorial standards.