Key skills
Application SecuritySAST toolingDAST toolingSCA toolingCSPM toolingCI/CD pipelinesPipeline integrationContainer securityDockerKubernetesAPI securityRESTGraphQLThreat modelingSecurity Champions programAWS security servicesOSCP certificationGWAPT certificationCSSLP certificationAWSJenkinsGitHub ActionsGitLab CIIAMGitHubGitLabSaaSSDLCCI/CDLeadershipSnykCheckmarx
About this role
Arcadia is the global utility data and energy solutions platform. They are seeking a technically hands-on Application Security Engineer to join the Information Security team, responsible for managing the vulnerability lifecycle and integrating security automation into the CI/CD pipeline.
Responsibilities:
- Own the end-to-end vulnerability management lifecycle: triage, prioritize, and drive remediation of findings from SAST, DAST, and SCA tooling in partnership with engineering squads
- Maintain, optimize, and extend security tooling integrations within the CI/CD pipeline with the goal of automating everything that can be automated
- Launch and run a Security Champions program, including workshops and office hours, to embed security knowledge directly into development teams across multiple geographies
- Act as the application-layer subject matter expert during security incidents, supporting triage, root cause analysis, and remediation
- Partner with Product and Engineering leadership to introduce security touchpoints earlier in the SDLC, including threat modeling and design review processes
Requirements:
- 3–5 years of dedicated Application Security experience in a SaaS or cloud-native environment
- Hands-on proficiency with at least two of the following: SAST, DAST, SCA, or CSPM tooling (e.g., Snyk, Checkmarx, Semgrep, Wiz)
- Strong working knowledge of CI/CD pipelines (e.g., GitHub Actions, Jenkins, GitLab CI) and the ability to write and maintain pipeline integrations
- Experience with container security (Docker, Kubernetes) and API security patterns (REST, GraphQL)
- Demonstrated ability to communicate technical risk to non-security engineers in a way that drives action, not anxiety
- Experience standing up or maturing a Security Champions program
- Familiarity with cloud-native AWS security services (GuardDuty, Security Hub, IAM Access Analyzer)
- Exposure to threat modeling frameworks (STRIDE, PASTA, or lightweight equivalents)
- Relevant certifications (OSCP, GWAPT, CSSLP) — valued but not required