Senior Application Security Engineer About the role: We're looking for a Senior Application Security Engineer to work hands-on with software engineering teams and help build a strong, practical application security program. You'll embed with product teams early, influence designs before code ships, and focus on reducing real risk (not generating ticket noise). This is a high-impact role with both technical depth and the opportunity to shape how application security is delivered at scale. What you'll do- Partner directly with development teams as part of day-to-day engineering workflows- Perform hands-on secure code reviews (Java-focused) and provide actionable remediation guidance- Lead and maintain threat models with engineers and security partners- Improve security testing outcomes by tuning tools and reducing false positives (signal over noise)- Define and document secure-by-design patterns (authentication, APIs, data handling) teams can adopt consistently- Drive vulnerability management as a "business-as-usual" discipline that engineering teams use- Execute and support application security testing activities (e.g., threat modeling, scanning, and support to penetration testing efforts)- Communicate security risk clearly to technical and non-technical stakeholders- Serve as a security release gate when required, making clear risk-based decisions What you'll bring- Years of application security experience with strong engineering fundamentals- Experience reading and writing code; strong comfort reviewing and discussing code with developers- Strong understanding of secure design and threat modeling for modern web services- Hands-on experience with AppSec tooling (SAST, SCA, DAST, and vulnerability scanning) and improving tool signal quality- Solid identity and auth knowledge (e.g., OAuth2 / OIDC concepts and implementations)- Ability to influence without relying on "security says no" — you bring proposals, not just problems- Confidence communicating risk, tradeoffs, and recommendations to a broad audience Preferred / nice to have- Deep experience with Java ecosystems (Spring / Spring Boot) and modern web application security- API security expertise and experience defining secure API patterns- Exposure to environments with higher assurance needs (regulated or OT-connected environments)- Familiarity with Kubernetes-deployed applications and modern CI/CD practices- Awareness of cloud-native security patterns (helpful, but not the primary ownership area for this role)- Interest in using AI-enabled tools to increase the leverage of a lean security function Why this role: You'll have meaningful ownership, visible impact, and the chance to help shape how application security is practiced—working side-by-side with engineering teams to ship secure software efficiently.
