The Application Security Engineer ensures robust security practices within a highly regulated SaaS environment. Collaborating closely with Product and Development teams, this role embeds security throughout the Software Development Life Cycle (SDLC), from design to deployment and ongoing maintenance. The engineer manages automated vulnerability scanning tools, coordinates penetration tests, advises on secure architecture, and supports compliance, risk management, and incident response initiatives.

Monitor and analyze security alerts and vulnerability reports, prioritizing and validating vulnerabilities for timely remediation.

Maintain and optimize automated vulnerability scanning systems (SAST/DAST), ensuring comprehensive application security assessments.

Coordinate and manage third-party penetration tests, bug bounty programs, and vulnerability assessments, responding effectively to findings.

Collaborate cross-functionally to perform architectural and code reviews, delivering actionable recommendations for enhanced application security.

Develop and maintain application threat models to inform proactive risk management and security posture improvements.

Assist internal teams in vulnerability remediation using industry-standard tools (e.g., Veracode, Qualys, Rapid7, Burp).

Support incident response activities, enabling rapid identification, containment, and resolution of application security incidents.

Stay current on emerging security threats, vulnerabilities, and industry best practices, translating insights into practical guidance.

Provide security expertise in risk management, compliance audits, and client communications to enhance the overall security posture.

Perform other duties as assigned

Bachelor’s degree in Computer Science, Management Information Systems, Cybersecurity, or a related field is required, or equivalent combination of education and experience

4 years of experience in application security engineering, software engineering, or related security-focused roles required.

3 years of hands-on experience identifying and qualifying application security vulnerabilities, preferably within web, financial services, or mobile application environments required.

Experience with AWS, Git, and industry-standard application vulnerability platforms required.

Proficiency analyzing application source code (e.g., TypeScript, JavaScript, C#, Java, Swift) to identify security vulnerabilities.

Strong technical knowledge of security vulnerabilities and standards (OWASP Top 10, CWE, CVSS scoring).

Deep familiarity with authentication and authorization protocols (e.g., SAML, OAuth 2.0, JWT).

Applied knowledge of cryptographic practices, including encryption standards, hashing algorithms, and authentication lifecycle management.

Excellent analytical, communication, and coordination skills, with the ability to effectively manage and communicate security remediation tasks.

Ability to maintain productivity and professionalism in remote or distributed team environments.

Demonstrated passion for continuous security learning and staying updated on industry threats and trends.

Minimal, generally 12 days or less per year

$120,000 - $130,000 a year