Senior Application Security Engineer

📋 Description

• • Conduct systematic threat modeling using the MITRE ATT&CK framework to identify risks, define attack paths, and propose mitigations early in the software development lifecycle.
• • Perform in-depth security architecture reviews to ensure applications and microservices adhere to secure design principles and industry standards.
• • Collaborate with engineering teams to conduct code reviews, identify vulnerabilities, and champion adherence to OWASP Top 10 best practices.
• • Integrate Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools into CI/CD pipelines to enable continuous, automated vulnerability detection.
• • Analyze SAST/DAST reporting outputs and guide engineering teams toward timely and sustainable remediation strategies.
• • Perform or coordinate targeted penetration tests on critical applications and systems to uncover exploitable weaknesses.
• • Document security findings and partner directly with developers to implement lasting fixes that align with organizational risk tolerance.
• • Advise on the implementation of symmetric and asymmetric encryption mechanisms to protect data at rest and in transit across all environments.
• • Oversee secure key management practices, ensuring cryptographic libraries and protocols are correctly configured and updated.
• • Develop and deliver training programs on secure coding fundamentals, OWASP principles, and secure development lifecycle practices.
• • Lead the "shift-left" security initiative by embedding security considerations into the earliest phases of product development, requiring strong engineering background to effectively coach and collaborate.
• • Investigate and document application-focused security incidents, determining root causes and implementing preventive controls.
• • Maintain and refine incident response playbooks, incorporating lessons learned from real-world events to enhance organizational resilience.
• • Align application security practices with regulatory frameworks including PCI DSS, SOC 2, and ISO 27001 to support compliance and audit readiness.
• • Work closely with Risk, Fraud, and Compliance teams to ensure engineering security initiatives are aligned with business objectives and regulatory requirements.
• • Operate in a hybrid model, splitting time between remote work and three days per week on-site at Imprint’s offices in New York City, San Francisco, or Seattle.
• • Act as a security subject matter expert across multiple engineering teams, influencing secure design decisions in cloud-native, microservices-based environments.
• • Evaluate and recommend security tooling and automation solutions to scale AppSec efforts across a rapidly growing FinTech platform.
• • Ensure cryptographic implementations comply with NIST standards and organizational security policies for key generation, rotation, and storage.
• • Promote a culture of security ownership among developers by translating complex threats into actionable, engineering-friendly guidance.
• • Support regulatory audits by preparing documentation, evidence, and testimony related to application security controls and practices.