Key skills
Application SecurityPenetration TestingSAST/SCA ToolsWeb Application SecuritySoftware DevelopmentSecurity CertificationCloud EnvironmentsJavaPHPRubyScalaAIAWSGCPBigCommerceCI/CDCommunicationSnykCheckmarx
About this role
Commerce is a company focused on empowering businesses through its AI-driven commerce ecosystem. They are seeking an Application Security Engineer II who will perform security assessments, conduct penetration testing, and collaborate with engineering teams to enhance secure development practices.
Responsibilities:
- Perform regular and ongoing penetration testing of BigCommerce’s evolving applications and services
- Conduct security code audits and participate in architectural and design reviews
- Review project technical designs and follow through implementation to ensure secure outcomes
- Triage and validate findings from SAST, DAST, and SCA tools (e.g., Checkmarx, Snyk)
- Work directly with engineering teams to provide clear, practical remediation guidance
- Respond to application-related security incidents, providing technical analysis and support
- Assist in maintaining and improving internal security tooling and automation
- Utilize vulnerability and telemetry data to identify trends and support risk prioritization
- Contribute to improving AppSec documentation, standards, and secure coding guidance
- Advocate secure development practices across the BigCommerce ecosystem
- Conduct research to identify new attack vectors relevant to our platform
Requirements:
- Bachelor's degree in Computer Science, Engineering, MIS, or equivalent experience
- 2–4 years of experience in application security-related disciplines (code review, penetration testing, security engineering, DevSecOps)
- 1–2 years of software development experience in PHP, Ruby, Java, Scala, or similar
- Strong understanding of web application security concepts, vulnerabilities, exploits, and prevention techniques
- Experience performing independent code reviews and security assessments
- Hands-on experience with SAST/SCA tools such as Checkmarx and Snyk
- Ability to explain security issues clearly and effectively to developers
- Strong written and verbal communication skills
- Experience working with globally distributed teams
- Security certification (CISSP, OSCP, GISP, or actively pursuing)
- Experience contributing to internal security tooling or automation
- Familiarity with cloud environments (AWS, GCP)
- Experience participating in bug bounty programs
- Exposure to DevSecOps and CI/CD integration practices