Eclipse FoundationRemote
Application Security Engineer, AI-Assisted Vulnerability Management
United States of America
Full Time
2 hours ago
Visa Sponsor
Key skills
Application securityOWASP Top 10CWESecure coding practicesExploitability analysisSecurity code reviewSecurity auditsSecurity assessmentsStatic Application Security Testing (SAST)Dynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Dependency scanningCode analysis toolsPythonJavaTypeScriptLarge language models (LLMs)AI-assisted code analysisSecurity automationHuman-in-the-loop review workflowsOpen source development workflowsGitGitHubGitLabPull requestsIssue trackingCI/CDAILarge Language ModelsCommunicationTrivyOWASP
About this role
The Eclipse Foundation is one of the world’s largest open source software foundations, and they are seeking an Application Security Engineer to design, build, and operate AI-assisted vulnerability management workflows. This role combines application security, security automation, and practical use of large language models to help identify, triage, and remediate vulnerabilities across its project portfolio.
Responsibilities:
- Build and integrate AI-assisted security tooling
- Develop scalable triage workflows
- Drive remediation
- Evaluate and improve tooling
- Support responsible AI use in security workflows
- Document and share knowledge
- Coordinate with the broader security team
Requirements:
- Strong application security background, including familiarity with common vulnerability classes such as OWASP Top 10 and CWE, secure coding practices, and practical exploitability analysis
- Hands-on experience conducting security code reviews, audits, or assessments using SAST, DAST, SCA, dependency scanning, or other code analysis tools
- Ability to build and integrate developer-facing tooling using languages such as Python, Java, TypeScript, or similar
- Practical experience applying LLMs or AI-assisted tools to code analysis, vulnerability research, developer productivity, or security automation
- Ability to evaluate AI-generated findings critically, measure false positives, and design human-in-the-loop review workflows
- Familiarity with open source development workflows, including Git, GitHub or GitLab, pull requests, issue tracking, and CI/CD
- Strong written communication skills, including the ability to write actionable security findings, advisories, issues, and remediation guidance for maintainers with varying security backgrounds
- Experience contributing to or maintaining open source projects
- Familiarity with the Eclipse Foundation ecosystem, including projects such as Eclipse IDE, Jakarta EE, Adoptium, Eclipse Mosquitto, or Software Defined Vehicle
- Experience with tools such as CodeQL, Semgrep, GitHub Advanced Security, osv-scanner, Trivy, Grype, Syft, Dependabot, or similar
- Background in prompt engineering, retrieval-augmented generation, or model evaluation for code-related tasks
- Experience with vulnerability disclosure and CVE processes
- Knowledge of software supply-chain security practices and technologies such as SBOM, Sigstore, SLSA, OSV, or OpenSSF Scorecard
- Experience building dashboards, metrics, or reporting workflows for security programs