PrizePicksRemote
Senior AppSec Engineer
United States of America
Full Time
4 weeks ago
$130,000 - $180,000 USD
No H1B
Key skills
AIMLLLMKubernetesJenkinsGitHub ActionsGitLab CIPostmanGitHubGitLabMobile DevelopmentCI/CDLeadershipCommunicationSnykOWASPPenetration Testing
About this role
PrizePicks is the fastest-growing sports company in North America, recognized for its leading platform in Daily Fantasy Sports. The Senior AppSec Engineer will support and optimize application security tooling, act as a security champion for engineering teams, and lead threat modeling exercises to enhance the security of the company's applications.
Responsibilities:
- Own the Pipeline: Support and optimize application security tooling (SAST, SCA, Secrets Detection) within our CI/CD pipelines to provide accurate, actionable, and prioritized alerts to devs
- Be a Security Champion: Act as the primary security partner for Engineering and Product teams, ensuring security is baked in from the design phase through deployment
- Threat Modeling: Lead collaborative threat modeling exercises to identify architectural risks before code is even written. Partner with penetration testing teams to translate these threats into targeted testing scenarios for high-risk functions
- Code-Level Remediation: Don’t just tell devs what is wrong—show them how to fix it by performing deep-dive code reviews and providing actionable remediation guidance
- Secrets Management: Help lead the charge in identifying and removing hard-coded secrets, moving the org toward more secure, automated secret management practices
- Bug Bounty & Research: Help manage our bug bounty program by triaging submissions, working with researchers, and validating fixes with our engineers
- Secure AI Integration: Serve as the security consultant for AI/ML initiatives. Partner with engineering to design secure "LLM-backed" features, focusing on prompt injection prevention, data privacy/sanitization, and secure integration of third-party AI APIs
- Incident Response: Support the team during application-related security incidents, bringing your deep knowledge of code and logic to the table
- Feature Validation: Perform security assessments on new features to help identify logic flaws that automated scanners might miss. Partner with our penetration testing team on high-risk releases to exchange knowledge and continuously sharpen your offensive security skillset
- Strategic Communication: Translate technical vulnerabilities into business risk. You’ll be responsible for documenting and presenting findings in a way that is actionable for engineers and understandable for leadership
Requirements:
- 3+ years of experience in software development, mobile development, or application security
- CI/CD Pipeline Expertise: Hands-on experience integrating security tools (SAST, DAST, SCA, Secrets Detection) into automated workflows (e.g., GitHub Actions, GitLab CI, Jenkins)
- Deep knowledge of the OWASP Web Security Testing Guide (WSTG) and/or Mobile Application Security Testing Guide (MASTG)
- Experience conducting Threat Modeling to catch flaws before they are built
- Familiarity with the OWASP Top 10 for LLMs
- Experience supporting an Incident Response (IR) process
- A deep understanding of how web applications work
- Proven ability to define risks in both technical and business terms
- 3+ years of professional experience in Software Development or Application Security
- AppSec Tooling: Proven proficiency in deploying and tuning SAST, DAST, and SCA (e.g., Snyk, CodeQL, Dependabot, Mend, Wiz)
- Threat Modeling: Experience performing architectural threat models on products and services
- CI/CD Automation: Strong experience building and maintaining security workflows in GitHub Actions
- Cloud Native: Working knowledge of Kubernetes and containerized compute services
- Security Testing: Comfortable using Burp Suite or Postman to manually validate logic flaws