Application Security Engineer – Secure Development & Devsecops
| Company | BambooHR |
|---|---|
| Location | Utah, USA |
| Salary | $Not Provided – $Not Provided |
| Type | Full-Time |
| Degrees | Bachelor’s |
| Experience Level | Mid Level, Senior |
Requirements
- Bachelor’s degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
- Minimum 3 years of specific, hands-on experience in Application Security.
- AI and Automation-first mindset. Proficiency in IaC (Terraform, CloudFormation) and CI/CD pipeline security (e.g., GitHub Actions, CircleCI integrations).
- Proven experience conducting design and code reviews for web applications and APIs.
- Demonstrable experience deploying, configuring, and maintaining SAST and DAST tools within CI/CD pipelines (e.g., Jenkins, GitLab CI, Azure DevOps, CircleCI).
- Strong understanding of common web application vulnerabilities (OWASP Top 10) and their exploitation/mitigation.
- Experience with scripting languages (e.g., Python, Bash) for automation.
- Familiarity with cloud environments (e.g., AWS, Azure, GCP) and their security considerations.
- Excellent communication skills, with the ability to effectively articulate complex security concepts to technical and non-technical audiences.
- Strong problem-solving skills and a proactive approach to security.
Responsibilities
- Collaborate with engineering and product teams to integrate security requirements and best practices throughout the entire SDLC, from design to deployment.
- Conduct thorough security reviews of application architecture, design documents, and source code to identify and mitigate potential vulnerabilities.
- Design, implement, and maintain the integration of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools into our CI/CD pipelines; and runtime protection (RASP) for web apps.
- Develop, automate, and enhance our vulnerability management processes, including triage, prioritization, and tracking of security findings across applications.
- Provide guidance, training, and tools to developers on secure coding principles, common vulnerabilities, and secure design patterns.
- Evaluate, recommend, and implement security tools and technologies to improve our application security posture.
- Drive automation initiatives for security tasks, leveraging scripting and orchestration to streamline workflows.
- Support security incident response activities related to application vulnerabilities.
- Stay abreast of emerging security threats, technologies, and best practices, and propose improvements to our application security program.
Preferred Qualifications
- Relevant security certifications (e.g., CSSLP, GWEB, GWAPT, OSWA).
- Experience with container security (Docker, Kubernetes).
- Familiarity with compliance frameworks relevant to SaaS (e.g., SOC 2, ISO 27001).
- Experience with bug bounty programs.