Senior Application Security Engineer
Indexed description
What You'll Do
- Identify, triage, and remediate application vulnerabilities directly in the code — writing the fix and shepherding it through review and deployment with the owning team, not just filing tickets.
- Validate and reproduce findings to eliminate false positives, assess real exploitability and business impact, and drive remediation to closure against defined SLAs.
- Operate, tune, and continuously improve application security tooling (SAST, DAST, software composition analysis and dependency scanning, secrets scanning, and container/image scanning), integrating findings into developer workflows.
- Embed security into CI/CD pipelines and Git-based workflows so vulnerabilities are caught automatically — and, wherever possible, fixed — before code reaches production.
- Partner with development teams to define and roll out secure coding standards and pre-commit / pre-merge checks, shifting security left so issues are caught and fixed before code is committed.
- Lead threat modeling for new features and architecture changes, and perform security-focused code reviews for sensitive changes.
- Maintain application security standards (OWASP Top 10 prevention, input validation and output encoding, parameterized queries, secure-by-default design) and enforce secure API practices.
- Strengthen software supply chain and repository security.
- Maintain compliance with industry-standard frameworks and produce evidence for audits (SOC 2, NYDFS, and PCI DSS).
- Coach developers through hands-on enablement and a security champions program, and provide application security expertise during incident response.
- Lead security projects independently, delivering them on time while aligning with business and security goals.
- Other duties and responsibilities as assigned.
Skills And Qualifications
- Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or relevant work experience.
- Minimum of 4-6 years of practical experience in application security, secure software engineering or software engineering with a strong security focus.
- Current, hands-on development ability in one or more languages used in modern web platforms (e.g., Python, JavaScript/TypeScript, Go, or Java) — you can read, write, and ship production code to fix vulnerabilities, not just describe them.
- Deep, practical knowledge of the OWASP Top 10, common web and API vulnerability classes, and secure coding practices.
- Hands-on experience with application security tooling categories — SAST, DAST, SCA / dependency scanning, and secrets scanning — and integrating them into developer workflows.
- Experience performing threat modeling and security-focused code reviews.
- Working knowledge of application security in a cloud environment (AWS preferred).
- Strong collaboration and communication skills — you can influence developers, explain remediation clearly, and make security the easy choice.
- Relevant certifications such as OSWE, GWAPT, CSSLP, OSCP, or AWS Certified Security - Specialty
- Experience with multi-account cloud setups or advanced cloud security architectures.
- Experience with container and Kubernetes security, and Infrastructure-as-Code security (e.g., Terraform).
- Experience working in a regulated environment (SOC 2, PCI DSS, NYDFS, or similar).
- Bug bounty participation, security research, CTF, or other offensive-security experience.
- Background in InsurTech, FinTech, or another data-sensitive industry.
- Must be able to sit/stand/walk for prolonged periods of time, (up to 8 hours per day) at a desk working on a computer.
- Must be able to use standard office equipment for extended periods of time, including but not limited to, a mouse, keyboard, phone and video conferencing.
Benefits
We offer competitive compensation and progressive benefits that include:
- Medical, Dental, and Vision
- Flexible PTO Policy
- 401(k) with a company match
- Employee Assistance Program
- Parental Leave
- Disability and Life Benefits
Penguin bling. Like swag themed after a certain Antarctic bird? Just. You. Wait.
Bold Penguin believes in inclusion. That’s why we’re proud to be an equal opportunity employer that considers all qualified applicants regardless of race, color, religion, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. To learn more about our results-focused culture and employee-focused perks, read more on our careers page.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search