Application Security Engineer

📋 Description

• • Own the end-to-end application security program across the software development lifecycle, ensuring security is integrated from design through deployment to prevent vulnerabilities from reaching production.
• • Conduct threat modeling and security design reviews for new features and architectural changes, delivering specific, actionable findings to engineering teams to mitigate risks before implementation.
• • Lead secure code reviews for high-risk changes, focusing on authentication, authorization, financial transaction flows, and API security, with clear guidance tailored to the engineering stack.
• • Deploy, tune, and integrate SAST, DAST, and SCA tooling (e.g., Semgrep, Snyk, Burp Suite) into CI/CD pipelines to surface findings at commit time rather than post-deployment.
• • Triage and prioritize automated scanner output by risk ranking, transforming raw alerts into actionable, prioritized backlogs that engineering teams can efficiently address.
• • Perform manual penetration testing on web applications, REST/GraphQL APIs, and internal services, with emphasis on identifying exploitable flaws in authentication, session management, RBAC, and financial systems.
• • Manage the external penetration testing program, coordinating with third-party testers and ensuring comprehensive coverage of critical attack surfaces.
• • Operate the company’s bug bounty program end-to-end, including triage of submissions, severity calibration, researcher communication, and payout coordination.
• • Track and drive remediation of application-layer vulnerabilities across the entire product portfolio, monitoring CVEs and escalating critical, exploitable issues for immediate action.
• • Develop and maintain secure coding guidelines and developer-facing security education materials aligned with the team’s technology stack and evolving threat landscape.
• • Act as a security partner to product and engineering teams, embedding secure practices into rapid development cycles without creating bottlenecks or slowing innovation.
• • Collaborate with infrastructure and DevOps teams to ensure application-layer security controls are properly configured in cloud environments, particularly on AWS.
• • Stay current with emerging attack vectors and security standards in web applications, APIs, and blockchain-based systems to continuously improve the security posture of the platform.
• • Communicate complex security risks clearly and concisely to technical and non-technical stakeholders, ensuring findings are understood and acted upon promptly.
• • Foster a culture of security ownership by encouraging adoption of secure development practices across engineering teams, including mentoring and knowledge sharing.