Application Security Engineer

Overview

Role Overview

Secure Sdlc Ownership

• Define and maintain the organisation’s secure software development lifecycle.
• Introduce security requirements at the earliest design and discovery stages.
• Establish security checkpoints in each phase of the lifecycle, from design and implementation to testing and deployment.
• Ensure product and engineering teams include clear security acceptance criteria in user stories and technical tasks.
• Work with engineering leaders to ensure security gates are predictable, measurable and aligned with delivery timelines. Code, Dependencies & Supply Chain Security
• Take operational ownership of automated application security tooling, including static code analysis, software composition analysis and dynamic testing.
• Integrate security tools into continuous integration and delivery pipelines with risk-based thresholds and build policies.
• Tune rules, policies and workflows to reduce false positives while keeping strong coverage on high-impact issues.
• Define and promote approaches for dependency and package management that encourage the use of centrally approved components.
• Coordinate upgrades or mitigation work when serious vulnerabilities are disclosed in frameworks, libraries or third-party components.

Threat Modeling & Design Reviews

• Lead structured threat modeling sessions for new applications, services and significant changes to existing products.
• Analyze application architectures, data flows and trust boundaries and document the main threats, required countermeasures and resulting engineering work.
• Perform security-focused design reviews for planned changes that impact sensitive data, business-critical flows or integration with external parties.
• Provide reusable design guidance for core security functions, including authentication, authorization, session management, input and output handling, and tenant isolation.

Api & Web And Mobile Security

• Define and maintain application and API security standards, including identity and access patterns, token usage, session management, rate control and schema validation.
• Review API and web application designs for alignment with these standards and with recognized application security practices.
• Work with cloud and infrastructure security teams on the configuration of runtime protections around applications, including web application protection, API gateways and automated abuse and bot detection.
• Provide guidance for future mobile or desktop clients on secure storage, channel protection and resilience against reverse engineering and tampering.

Security Testing & Offensive Work

• Plan and coordinate internal and external application security testing activities, including penetration tests and focused assessments.
• Define the scope, objectives, environments and test data needs for these activities, and ensure that results are documented and understood by owners.
• Track remediation activities end-to-end, ensuring that fixes are implemented, verified and integrated back into secure design patterns and tooling.
• Perform targeted application security testing directly for higher-risk areas and new critical functionality.

Developer Enablement & Culture

• Create and maintain secure coding guidelines aligned with the organization’s main technologies and platforms, using industry recognized references.
• Deliver training and workshops for development and quality teams on practical application security topics, common vulnerability classes and recurring issues observed in the codebase.
• Support a community of security-minded engineers through a structured program in which representatives from delivery teams collaborate regularly with the security function on upcoming changes, issues and improvements.
• Contribute to documentation, knowledge bases and self-service guidance that help teams make secure decisions without heavy process overhead.

Collaboration & Metrics

• Work closely with cloud, infrastructure and observability teams on logging requirements for applications, including what to log, where to send it and how to protect log data.
• Define security-relevant runtime signals for applications and collaborate on rules and controls in surrounding protection layers.
• Establish and maintain application security metrics and dashboard views, covering secure SDLC adoption, issue trends, tool coverage, remediation throughput and other indicators useful to engineering and management stakeholders.
• Provide concise written and verbal reports on application security posture, significant risks and progress of improvement initiatives.

Experience

• Professional experience in application security, product security or a closely related discipline, with significant interaction with software engineering teams.
• Practical background in at least one modern application stack and familiarity with common web and API architectures.
• Hands-on experience with secure SDLC practices, automated security testing, dependency management and remediation workflows.
• Experience with threat modeling, security design reviews and application security testing.

Skills & Competencies

• Strong understanding of common web, API and mobile security risks and relevant industry references and standards.
• Ability to read and reason about code in at least one of the main languages used internally and to give actionable guidance to development teams.
• Familiarity with security testing tools and platforms and with integrating them into engineering workflows.
• Strong communication skills, with the ability to translate complex security topics into clear, practical guidance for engineers and product stakeholders.

Education & Certifications

• Degree in Computer Science, Information Security, Engineering or a related discipline, or equivalent practical experience.
• Relevant security or application-focused certifications are considered an advantage.

Personal Attributes

• Strong sense of ownership for application security outcomes and a collaborative approach to working with product and engineering teams.
• Structured, analytical mindset with attention to detail and a focus on sustainable, scalable solutions.
• Interest in staying current with emerging application security threats, techniques and defensive practices.