Application Security Engineer

Summary

Join Andesite, a cybersecurity firm, as an Application Security Engineer to secure software applications and cloud environments. You will identify and mitigate vulnerabilities throughout the development lifecycle, performing application threat modeling, code reviews, and managing security tools. This role requires maintaining the confidentiality, integrity, and availability of stakeholder information and systems. You will also support vulnerability assessments, deliver real-time threat response, and educate engineering teams on secure development practices. The position offers a competitive salary, benefits, and a flexible work environment.

Requirements

• 4+ years of experience in application security, secure software development, or a similar security-focused engineering role
• 2+ years of hands-on experience securing cloud-native applications and infrastructure
• Deep understanding of secure design principles, threat modeling, and software risk assessment
• Proficient in at least one programming language
• Strong knowledge of secure coding practices and ability to guide developers through remediation
• Experience writing scripts or tools to automate security tasks
• Expert understanding of OWASP Top 10, CWE/SANS Top 25, and other software security standards
• Familiarity with SAST, DAST, and SCA AppSec tools
• Experience integrating security tooling into CI/CD pipelines (DevSecOps)
• Knowledge to perform penetration testing on AI components
• In-depth experience with at least one major cloud platform (AWS, Azure, or GCP)
• Hands-on experience implementing cloud security controls
• Familiarity with infrastructure as code (IaC) security tools
• Knowledge of container security and orchestration best practices
• Exposure to cloud-native security services
• Experience conducting architecture and design reviews for security across applications and cloud environments
• Understanding of cloud compliance frameworks (e.g., PCI DSS, CIS benchmarks, NIST, SOC 2, ISO 27001)
• Ability to implement and maintain secure configurations aligned with industry standards
• Strong collaboration skills with developers, DevOps, and cloud engineering teams
• Comfortable working across the SDLC to embed security from design through deployment
• Ability to influence technical direction and security architecture
• Excellent communication skills for both technical and non-technical audiences

Responsibilities

• Product Security: Proactively find security weaknesses during design, development, testing, and deployment phases, and work with teams to remediate them before they reach production
• Application Threat Modeling and Secure Design Reviews: Analyze application components, data flows, and trust boundaries to anticipate potential threats and integrate security into architectural decisions early
• Application Security Operations: Manage and maintain SAST, DAST, and SCA tooling: Configure, tune, and operationalize static, dynamic, and software composition analysis tools to support scalable and effective application security testing
• Code Review: Conduct manual and automated code reviews to detect insecure coding patterns, logic flaws, and injection risks, ensuring code adheres to secure development standards
• DevSecOps: Develop and maintain custom scripts and tools to automate security tasks, enhance visibility, and integrate security into development and operational workflows
• Cloud Engineering: Enforce least privilege, secure network architectures, and strong identity and access controls across cloud accounts and services
• System Monitoring: Monitor computer networks and systems with SIEM to identify vulnerabilities and respond to security threats and attacks
• Vulnerability management: Support with scanning, tracking, and remediating security vulnerabilities across systems and applications
• Educate: Provide training, documentation, and hands-on guidance to developers and engineers to build a strong security culture and shift security left in the SDLC
• Professional Development: Stay current with industry developments and best practices through training, conferences, and other professional development activities

Preferred Qualifications

• Bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related field (or equivalent practical experience)
• Experience with SIEM/SOAR platforms and cloud log analysis
• Participation in red/blue team exercises or security incident response in cloud environments, experience with PCI DSS desired
• Contributions to open-source security tools or community knowledge sharing
• Familiarity with Zero Trust principles and architectures

Benefits

• A competitive salary, bonus, and equity package
• 100% employer paid, comprehensive health insurance including medical, dental, and vision for you and your family
• Unlimited PTO, with your manager’s approval
• Flexible work environment where you manage your workday
• A remote-first environment, with occasional travel to collaborate with customers, your team, and teammates from across the company in person
• 14 weeks of fully-paid parental leave