Senior Application Security Engineer

Summary

Join Brightflag as an Application Security Engineer and play a key role in ensuring the secure delivery of features for our high-profile customers. You will drive our Secure By Design approach, conduct penetration testing, improve DevOps security, and deliver security training. Collaborate with engineering and DevOps teams to embed security throughout the SDLC. This role requires strong application security experience, expertise in secure coding practices, and excellent communication skills. Brightflag offers a competitive salary, share options, flexible work location, comprehensive benefits, and professional development opportunities.

Requirements

• 5+ years’ experience in application security, penetration testing, or a similar security-focused engineering role
• Bachelor’s degree in computer science or a related field, or equivalent industry certifications
• Deep understanding of web application security, threat modelling, and secure software development practices
• Strong experience embedding security tools (SAST, DAST, dependency scanning) into CI/CD pipelines and hands-on experience in penetration testing of web applications
• Excellent knowledge of OWASP vulnerabilities and secure coding principles
• Familiarity with emerging cybersecurity exploits, attack techniques, and mitigation strategies
• In-depth knowledge of web application architectures and secure software development practices
• Strong understanding of network protocols, cryptographic technologies, and authentication/authorisation models
• Proficiency in Java and secure coding practices
• Strong coding, scripting, and automation experience, with an emphasis on reducing security toil through tooling
• Ability to work independently as the expert in application security
• Experience working as a trusted partner to software engineers to drive security adoption effectively and in a collaborative manner
• Strong and pragmatic problem-solving capabilities so that security enables development with security and engineering needs being balanced effectively
• Ability to take ownership of security beyond identifying problems; this person is accountable for ensuring security is implemented correctly
• Excellent communication skills, with the ability to clearly explain security concepts to software engineers, DevOps, and leadership without unnecessary complexity

Responsibilities

• Drive our Secure By Design approach: embed security into the SDLC by reviewing requirements with security impact, assessing technical designs, and performing secure code reviews
• Conduct penetration testing on application features for vulnerabilities, including OWASP Top 10 issues and emerging threats, and work with engineering to remediate findings
• Improve DevOps security by integrating static analysis (SAST), dependency scanning, dynamic testing (DAST), and security automation into CI/CD, ensuring security across our tech stack (includes Java, Spring, MySQL, Elastic, AWS)
• Develop and deliver security training and mentoring to software engineers, ensuring security knowledge is shared across teams
• Secure the integration of AI/ML-based features by applying security best practices to data-driven applications and mitigating risks unique to LLMs and data pipelines
• Collaborate with our DevOps and AWS infrastructure security team, supporting testing and scanning of vulnerabilities in the application tech stack
• Support and guide the external penetration testing process, ensuring findings translate into actionable security improvements

Preferred Qualifications

• Experience with Java web applications, Spring, and Spring Security
• Experience securing SaaS multi-tenant applications
• Experience with AWS or other cloud platforms
• High-growth startup experience
• Security certifications (e.g., OSCP, CISSP, AWS Security Specialty, Google Professional Cloud Security Engineer, GIAC GWAPT, GIAC GPEN)

Benefits

• Competitive salary
• Share options
• 25 days holidays + 4 company ‘Reset’ days throughout the year
• Comprehensive health insurance, life insurance and long term illness/income protection
• Fully flexible work location and work patterns so you can balance life at home with life at work - come to the office, work at home… or enjoy a blend of both at your discretion
• Learning subsidy of €2,000/US$2,200/AU$3,200 annually, to spend as you wish, plus study and examination leave where applicable
• Access to Pluralsight - the on demand learning platform for tech teams
• The Tax-Saver or Cycle-to-Work Scheme
• Wellbeing program & stipend
• Home office set-up supports