Application Security Engineer

Job Description

Job Description

Overview

The Application Security Engineer champions the integration of security at every stage of the software development lifecycle (SDLC), partnering with IT and development teams to implement threat modeling, security reviews, and automated assessments that strengthen and evolve the organization's application security posture.

Responsibilities :

• Oversee and support the execution of the Application Security program, providing security governance and guidance across engineering teams.
• Drive the implementation and usage of application security tooling (e.g., SAST, DAST, SCA, fuzz testing) while maintaining flexibility across technologies.
• Collaborate with stakeholders to define security metrics and reporting mechanisms that inform leadership and guide remediation priorities.
• Mentor developers and serve as the voice of application security—translating risks into actionable strategies for both technical and non-technical stakeholders.
• Ensure that vulnerabilities are remediated before code moves to production and provide guidance on the remediation process for application / API security vulnerabilities.
• Tracking and managing vulnerabilities while working closely with developers to empower them with secure coding practices.
• Coordinate with Application Development and Security teams to foster collaboration and ensure that security is embedded throughout the development lifecycle.
• Utilize automation to Incorporate security measures into every stage of the DevOps pipeline to protect applications and APIs.
• Evaluate third-party services for potential weaknesses in their security posture.
• 5+ Years’ experience in Application Security with demonstrated success securing web, mobile, or cloud (Azure / AWS) apps in production, with hands-on SAST / DAST / SCA experience.
• Proven ability to assess existing security designs and strategically mature them over time, moving beyod basic implementations to robust, resilient systems
• Deep knowledge of application layer attacks and defense mechanisms (CCS, CSRF, SQLi, XXE, SSRF, broken access control etc.).
• Deep knowledge of common web, API and cloud vulnerabilities (e.g. OWASP Top 10, CWE, auth flaws etc.).
• Deep knowledge of vulnerabilities, reachability, exploitability and how they affect applications.
• Deep knowledge of code scanning methods including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IaC) Security, API Security, and Dynamic Application Security Testing (DAST).
• Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
• Strong experience with custom scripting (python, C++, PowerShell, bash, etc.) and process automation.
• Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
• Knowledge of shift-left strategies and embedding controls early in the development lifecycle.
• Knowledge of automated code scanning tools and development pipeline tools.
• Ability to positively influence the behavior of peers and build relationships with other teams. without direct authority over those teams.
• Ability to balance security requirements with business needs and development velocity, finding practical solutions that enhance security without hindering progress.