H.W. Kaufman GroupRemote
Application Security Engineer
United States of America
Full Time
4 days ago
Visa Sponsor
Key skills
PythonBashPowerShellAIKubernetesDockerSalesforceSDLCCI/CDOWASPPenetration Testing
About this role
H.W. Kaufman Group is a powerful global network of companies dedicated to shaping the future of insurance. They are seeking an Application Security Engineer to secure their applications by integrating security best practices into the Software Development Lifecycle (SDLC) and collaborating with development teams to enhance security measures.
Responsibilities:
- Partner with development teams to embed security best practices across the SDLC, including design, development, and deployment, and provide secure coding guidance
- Conduct threat modeling and security architecture reviews to identify design-level risks and implement appropriate security controls
- Identify, assess, and mitigate application vulnerabilities through a combination of automated (SAST/DAST) and manual code reviews, as well as penetration testing, and drive risk-based remediation
- Implement and manage application security tools, including SAST, DAST, Software Composition Analysis (SCA), and other security scanning solutions
- Ensure application security practices align with regulatory standards such as NYDFS, NIST, and OWASP guidelines
- Partner with DevOps, IT, and security teams to integrate security into CI/CD pipelines and engineering workflows
- Design and oversee the implementation of authentication, authorization, and access control mechanisms for APIs and platforms
- Develop and enforce secure usage standards and governance for AI tools and AI-generated code, addressing risks such as prompt injection, data leakage, insecure code generation, and model misuse, while aligning with regulatory and industry standards
Requirements:
- 5+ years of experience in application security, secure software development, and vulnerability management
- Strong knowledge of secure coding practices, OWASP Top 10, OWASP Top 10 for LLMs, MITRE ATLAS, and common security vulnerabilities
- Experience with containerization technologies such as Docker and Kubernetes, the principles of container operation, and their secure interaction
- Experience with security testing tools (e.g., Burp Suite, Fortify, Veracode, or similar)
- Familiarity with DevSecOps principles and integrating security into CI/CD pipelines
- Direct experience with security tools such as vulnerability scanners, intrusion detection systems, and log analysis tools
- Understanding of regulatory frameworks and compliance requirements (e.g., NYDFS, GDPR, SOC 2)
- Ability in scripting and automation using languages such as Python, PowerShell, or Bash and leverage AI driven tools to streamline and enhance security process and workflows
- Experience with Black Duck/Polaris with Apex code (Salesforce) is a plus
- Experience with BlackDuck/Polaris and Apex code (Salesforce) is a plus
- Relevant certifications such as Certified DevSecOps Engineer, CISSP, OWASP certifications, GIAC GWAPT