Senior Application Security Engineer - DevSecOps

Role Summary :

We are seeking a high-caliber Senior Application Security Engineer with a foundational background in software engineering to act as a strategic liaison between our Development and Security teams.

In this critical role, you will not be writing production code or performing line-by-line manual code reviews; instead, you will function as a "Security Advocate," translating complex vulnerability findings into actionable insights for developers.

You will oversee the remediation of vulnerabilities identified by Snyk, Bugcrowd, and ethical hackers, ensuring our security posture keeps pace with a rapid bi-weekly deployment schedule.

The ideal candidate is a former developer who speaks the language of engineering and can effectively push for secure coding practices within a modern CI/CD ecosystem.

Responsibilities :

- Security-Development Liaison: Serve as the primary point of contact between the Security and Engineering teams, facilitating discussions on vulnerability impacts and remediation strategies.

- Vulnerability Lifecycle Management: Analyze and prioritize security findings from automated tools (Snyk) and manual sources (Bugcrowd / Pentesting), ensuring they are clearly understood by the development squads.

- Rapid Deployment Oversight: Align security verification with our two-week release cycle, ensuring that promotions to production do not introduce regressions or new vulnerabilities.

- Technical Advocacy: Take findings to development teams to discuss the underlying root causes of vulnerabilities (OWASP Top 10, CWE) and provide guidance on secure architectural patterns.

- Tooling & CI/CD Integration: Orchestrate the integration of security scanning tools into CI/CD pipelines to enable automated, frictionless security testing for developers.

- Bug Bounty & Ethical Hacking Coordination: Manage the intake of reports from Bugcrowd and external ethical hackers, validating findings and translating them into technical Jira tickets for engineering.

- Cloud Security Alignment: Leverage knowledge of cloud security features (AWS, Azure, or GCP) to ensure that application-level vulnerabilities are mitigated by appropriate infrastructure controls.

- Standard Compliance: Ensure application security practices align with industry frameworks such as OWASP Top 10, SANS Top 25, and CVE classifications.

- Risk Mitigation & Communication: Effectively communicate the business risk of technical vulnerabilities to both technical leads and non-technical stakeholders.

Technical Requirements :

- Engineering Foundation: Must have prior experience as a Software Developer or Engineer, with proficiency in languages like Python, JavaScript, or Java.

- AppSec Expertise: 3+ years of dedicated experience in application security, penetration testing, and secure software development.

- Tooling Mastery: Hands-on experience with Snyk (for SCA/SAST) and managing Bugcrowd or similar bug bounty platforms.

- Web Technologies: Strong understanding of REST APIs, HTML, JavaScript, and modern web application frameworks.

- Security Frameworks: Deep familiarity with OWASP, CWE, and CVE taxonomies.

Preferred Qualifications :

- Certifications: Industry-recognized credentials such as CSSLP, GWAPT, OSCP, or CEH.

- DevSecOps: Experience with container security (Docker/Kubernetes) and integrating security into automated pipelines.

- Compliance: Familiarity with regulatory frameworks like SOC 2, ISO 27001, or PCI DSS.

- Agile Proficiency: Prior experience in high-velocity DevOps or Agile environments.

Core Competencies :

- Interpersonal Communication: Ability to collaborate effectively with developers, persuading them to prioritize security without causing friction.

- Analytical Problem Solving: Excellence in deconstructing complex exploits to explain "the why" behind a security flaw.

- Result Driven: A focus on reducing the mean time to remediate (MTTR) critical vulnerabilities.

- Empathy for Developers: A grounded understanding of development pressures, enabling the provision of realistic security advice.