PrizePicksRemote
Senior Application Security Engineer
United States of America
Full Time
3 weeks ago
$130,000 - $180,000 USD
Visa Sponsor
Key skills
Application SecuritySoftware DevelopmentMobile DevelopmentCI/CD PipelineSASTDASTSCASecrets DetectionThreat ModelingOWASP Web Security Testing GuideOWASP Mobile Application Security Testing GuideOWASP Top 10 for LLMsIncident ResponseWeb Application SecurityHTTP HeadersJWTCORSAuthentication FlowsAppSec ToolingGitHub ActionsKubernetesContainerized Compute ServicesSecurity TestingBurp SuitePostmanStrategic CommunicationAIMLLLMJenkinsGitLab CIGitHubGitLabCI/CDLeadershipSnykOWASPPenetration Testing
About this role
PrizePicks is seeking a Senior Application Security Engineer to enhance their application security practices. The role involves supporting application security tooling within CI/CD pipelines, acting as a security champion for engineering teams, and leading threat modeling exercises to identify risks before code is written.
Responsibilities:
- Support and optimize application security tooling (SAST, SCA, Secrets Detection) within our CI/CD pipelines to provide accurate, actionable, and prioritized alerts to devs
- Act as the primary security partner for Engineering and Product teams, ensuring security is baked in from the design phase through deployment
- Lead collaborative threat modeling exercises to identify architectural risks before code is even written
- Partner with penetration testing teams to translate these threats into targeted testing scenarios for high-risk functions
- Perform deep-dive code reviews and provide actionable remediation guidance
- Help lead the charge in identifying and removing hard-coded secrets, moving the org toward more secure, automated secret management practices
- Help manage our bug bounty program by triaging submissions, working with researchers, and validating fixes with our engineers
- Serve as the security consultant for AI/ML initiatives
- Partner with engineering to design secure 'LLM-backed' features, focusing on prompt injection prevention, data privacy/sanitization, and secure integration of third-party AI APIs
- Support the team during application-related security incidents, bringing your deep knowledge of code and logic to the table
- Perform security assessments on new features to help identify logic flaws that automated scanners might miss
- Partner with our penetration testing team on high-risk releases to exchange knowledge and continuously sharpen your offensive security skillset
- Translate technical vulnerabilities into business risk
- Document and present findings in a way that is actionable for engineers and understandable for leadership
Requirements:
- 3+ years of experience in software development, mobile development, or application security
- CI/CD Pipeline Expertise: Hands-on experience integrating security tools (SAST, DAST, SCA, Secrets Detection) into automated workflows (e.g., GitHub Actions, GitLab CI, Jenkins)
- Deep knowledge of the OWASP Web Security Testing Guide (WSTG) and/or Mobile Application Security Testing Guide (MASTG) and the ability to think like a threat actor
- Experience conducting Threat Modeling to catch flaws before they are built
- Familiarity with the OWASP Top 10 for LLMs
- Experience supporting an Incident Response (IR) process, specifically providing the AppSec perspective to help scope an exploit and verify if a patch truly mitigates it
- A deep understanding of how web applications work
- Proven ability to define risks in both technical and business terms
- 3+ years of professional experience in Software Development or Application Security
- AppSec Tooling: Proven proficiency in deploying and tuning SAST, DAST, and SCA (e.g., Snyk, CodeQL, Dependabot, Mend, Wiz)
- Threat Modeling: Experience performing architectural threat models on products and services
- CI/CD Automation: Strong experience building and maintaining security workflows in GitHub Actions
- Cloud Native: Working knowledge of Kubernetes and containerized compute services
- Security Testing: Comfortable using Burp Suite or Postman to manually validate logic flaws