Application Security Engineer

Role Objective:

The Security Engineer will be responsible for supporting the secure design, development, and deployment of applications by identifying vulnerabilities, performing code and security reviews, and collaborating with engineering teams to embed security throughout the software development lifecycle. They will also contribute to threat modeling, security testing, and the continuous improvement of application security practices and tools.

Key Roles & Responsibilities:

1. Perform basic application security testing (SAST, DAST) using tools like Burp Suite, SonarQube, or Veracode.
2. Perform manual and automated code reviews, vulnerability assessments, and penetration testing for web and mobile applications.
3. Collaborate with developers to identify and remediate security issues during the SDLC (Secure Development Lifecycle).
4. Analyze findings from SAST, DAST, and SCA tools and guide teams on resolution.
5. Participate in threat modeling and design review sessions to identify potential security risks.
6. Assist in maintaining and evolving secure coding guidelines and developer training.
7. Work with QA and DevOps teams to integrate security tools into CI/CD pipelines.
8. Stay current on emerging threats, attack techniques, and security trends.
9. Document technical security findings, track remediation, and contribute to risk assessments.
10. Support application security awareness efforts across engineering teams.

Required Experience, Education, Knowledge, and Skills:

1. 0–3 years of experience in application security or related fields.
2. Bachelor’s or master’s degree in cybersecurity, computer science, or a related field.
3. Basic knowledge of application vulnerabilities and security testing tools.
4. Familiarity with at least one programming language (e.g., Java, .NET, Python, JavaScript).
5. Eager to learn and grow in AppSec.
6. Good communication and teamwork skills.
7. Detail-oriented with a problem-solving mindset.

Preferred Certifications: E|CDE, C|ASE, OSWA, eWPT, GWAPT, or similar (a plus, not required).