Perform and validate application & API security testing (OWASP & API Top 10, business logic abuse, auth/authorization flaws, data exposure).
Assist with vulnerability lifecycle management by gathering and normalizing findings (scanners, manual assessments, etc.), validating impact, setting priority, and assigning remediation tickets.
Integrate and maintain security tooling in CI/CD (SAST, SCA, DAST, SBOM, container and secrets scanning) and collaborate with developers to tune signal vs noise.
Assist with configuration and lifecycle management of AppSec tooling (e.g., CNAPP, WAF, secret management)
Contribute to threat modeling & secure design reviews (data flows, trust boundaries, abuse cases, cloud IAM, entitlement surfaces)
Partner with engineering, DevOps, product, and QA to embed secure patterns early (“shift left”) and provide code-level remediation guidance.
Automate repetitive security tasks and reporting where possible (scripts, pipeline jobs, policy-as-code)
Participate in incident response activities, including containment, eradication, and recovery efforts.
Support the implementation of security policies, procedures, and standards.
Stay up-to-date with the latest security trends, threats, and technology advancements.

+3 years combined experience in software development and/or application security engineering.
Ability to read and develop secure code in at least one of: Python, Java, JavaScript/TypeScript, Go, or C#.
Understanding of Application Security principles and web application vulnerabilities such as OWASP Top 10, their risk and remediations
Basic understanding of cloud computing principles and services (e.g., AWS, Azure, Google Cloud).
Exposure to security tools such as vulnerability scanners.
Strong communication and teamwork skills.
Detail-oriented with a proactive approach to identifying and mitigating security risks.

Application Security Engineer

Key skills