Application Security Engineer

Summary

Join The Motley Fool as a mid to senior-level Application Security Engineer. You will be responsible for identifying, validating, and remediating security risks across a multi-language environment. A growing focus will be securing AI and LLM-based applications, helping define best practices and build safeguards. This role requires strong technical instincts, a bias for action, and the ability to own complex projects. You will work with developers and cross-functional stakeholders, proactively engaging and escalating issues. The ideal candidate will have 3–7 years of experience in Application Security and a strong background in Python or other backend languages.

Requirements

• 3–7 years in Application Security, Penetration Testing, or Secure Software Development
• Strong background in Python or other backend languages (C#, PHP)
• Experience with security testing methodologies and tools, including SAST, DAST, IAST, RASP, SCA, API Security tools (e.g., Noname, Traceable, Levo), Client-side Security tools (e.g., Feroot, Source Defense), and CNAPP
• Working familiarity with cloud-based technologies, particularly AWS (e.g., IAM, VPCs, S3, Lambda, CloudFront, Security Groups)
• Deep understanding of OWASP Top 10, CWE Top 25, and secure SDLC principles
• Comfortable working directly with developers and cross-functional stakeholders

Responsibilities

• Own and deliver application security initiatives end-to-end
• Define clear quarterly SMART goals and drive toward their completion
• Engage stakeholders proactively and escalate blockers before they become issues
• Take full responsibility for the delivery of project ownership
• Validate findings through hands-on testing; never assume without verification
• Produce detailed, technically accurate risk assessments and remediation advice
• Investigate deeply using tools like Semgrep, Feroot, Source Defense, and Noname
• Understand the context of the applications you’re securing—business logic, threat model, and operational constraints
• Stay current on insecure practices (e.g., eval, shell injection, unsafe deserialization) and ensure they’re recognized and flagged appropriately
• Speak up early when you see risk, blockers, or better ways to solve problems
• Share context, findings, and decisions proactively in meetings and documentation
• Follow through on action items; own gaps and next steps
• Operate with transparency—acknowledge unknowns and follow up with answers

Preferred Qualifications

• Contributions to open-source, bug bounty programs, or security communities
• Familiarity with compliance standards like PCI-DSS, SOC 2, or ISO 27001
• Prior experience in environments with distributed teams or high agility

Benefits

• Flexible, remote work environment (*see our open states above)
• No “vacation policy” (not to be confused with a “No vacation” policy)
• Generous fully-paid parental leave
• $1,000 annually to invest in stocks of your choice
• Super low premiums for medical, dental, and vision coverage
• Comprehensive compensation package, including company equity