Key skills
Application SecurityWeb Application Penetration TestingSecure Software DevelopmentCI/CD PipelinesSecurity Testing ToolsProgramming Language ProficiencyThreat ModelingCloud Security FamiliarityCommunication SkillsCollaborationJavaScriptTypeScriptPythonJavaC#CGoAWSOAuthJWTSDLCCI/CDCommunicationOWASPPenetration Testing
About this role
Bonterra is a company focused on increasing the giving rate in the social good sector. As an Application Security Engineer, you will support the security of web applications and APIs, identify and remediate application security risks, and contribute to secure development practices.
Responsibilities:
- Work with engineering teams to help integrate application security best practices into the software development lifecycle (SDLC), including secure coding guidance
- Support secure CI/CD pipelines by collaborating with DevOps and cloud teams on existing security controls and workflows
- Identify, assess, and help prioritize vulnerabilities in web and API-based applications, providing guidance to engineering teams on remediation
- Perform manual web application penetration tests using established methodologies and tools
- Assist with proof-of-concept demonstrations for select security findings to help teams understand impact and remediation
- Perform application code reviews as needed
- Review and triage SAST, SCA and DAST scan results
- Track and manage application security findings, supporting remediation efforts and verification of fixes
- Support incident response efforts related to application security issues
- Provide guidance to engineering teams on common web application vulnerabilities such as OWASP Top 10
- Develop and implement scripts and workflows to streamline operations and reduce manual effort
- Automating security processes and developing methods for analyzing and responding to security findings
- Assist with documenting secure coding standards and common remediation patterns
- Stay current on emerging threats, vulnerabilities, and application security trends
Requirements:
- 3+ years of experience in application security, product security, or secure software development
- Experience with manual web application penetration testing
- Experience securing modern web applications and APIs
- Strong understanding of web application vulnerabilities, their root causes, and common remediation approaches
- Ability to review application source code as needed to support vulnerability triage and testing activities
- Proficiency in at least one programming language (e.g., Java, Python, JavaScript/TypeScript, C#, or Go)
- Experience working with CI/CD pipelines and modern development workflows
- Familiarity with security testing tools such as SAST, DAST, and SCA
- Strong communication skills and ability to work collaboratively with engineering teams
- Exposure to threat modeling concepts and secure design practices
- Previous software development or application design experience
- Familiarity with cloud environments and basic AWS security concepts
- Basic knowledge of identity and access management concepts (OAuth, OIDC, JWT)
- Exposure to PCI DSS or regulated environments