SecuritySMBEnterprise

Application Security Engineer (AppSec)

[Company Name] is looking for an Application Security Engineer to help us build secure software from the ground up. You will work alongside development teams to identify and remediate security vulnerabilities, conduct threat modeling, and integrate security tooling into our CI/CD pipelines. This role is both technical and collaborative -- you will be a trusted advisor to engineering teams, helping them ship features quickly without compromising on security.

Download DOCX Download PDF Use in Talantrix

Key Responsibilities

Perform security code reviews and design reviews for new features and architecture changes
Conduct threat modeling sessions with engineering teams to identify and mitigate risks early
Integrate and manage SAST, DAST, SCA, and secret scanning tools in CI/CD pipelines
Triage and prioritize vulnerability findings, and work with developers on effective remediation
Develop and maintain secure coding guidelines, libraries, and reusable security patterns
Lead or support penetration testing and security assessments of web and API applications
Champion a security-aware engineering culture through training, documentation, and mentorship

Required Skills & Experience

3+ years of experience in application security or software engineering with a security focus
Deep understanding of common web vulnerabilities (OWASP Top 10) and how to prevent them in code
Experience with security testing tools: SAST (Semgrep, SonarQube), DAST (Burp Suite, OWASP ZAP), SCA (Snyk, Dependabot)
Proficiency in at least one programming language used in production (Python, Java, Go, JavaScript/TypeScript)
Experience with authentication and authorization protocols (OAuth 2.0, OIDC, SAML, JWT)
Familiarity with CI/CD security integration and DevSecOps practices
Strong communication skills to explain security risks to technical and non-technical audiences

Nice-to-Have

Experience with cloud security (AWS, GCP, or Azure IAM, networking, and service configurations)
Security certifications such as OSCP, GWAPT, CEH, or CSSLP
Experience with container and Kubernetes security (pod security, network policies, image scanning)
Bug bounty participation or responsible disclosure experience
Background in compliance frameworks (SOC 2, ISO 27001, PCI-DSS)

Tech Stack

Burp SuiteSemgrepSnykSonarQubeOWASP ZAPGitHub Advanced SecurityTerraformDockerKubernetesPython

What We Offer

Competitive salary and equity package
Flexible remote or hybrid work arrangement
Health, dental, and vision insurance
Annual learning and development budget
Generous PTO policy

Interview Process

1Recruiter phone screen (30 min)
2Technical phone screen covering web security fundamentals and secure coding (45 min)
3Practical exercise: security code review or threat modeling session (60 min)
4On-site or virtual loop: architecture security review, vulnerability analysis, and team fit (3 hours)
5Final conversation with the security team lead or CISO

Hiring for this role? You might also need:

Interview Scorecards

Bar Raiser

Bar Raiser — Cross-Functional

Independent bar-raiser assessment ensuring the candidate raises the team's overall bar.

Culture & Values

Culture & Values Interview

Behavioral interview scorecard covering collaboration, ownership, and growth mindset.

Hiring Manager

Hiring Manager Final Round

Final evaluation by hiring manager: team fit, role alignment, and leadership potential.

Phone Screen

Recruiter Phone Screen (Universal)

General-purpose recruiter screen covering motivation, experience fit, and logistics.

Email Templates

Sourcing

Cold Outreach — Passive Developer

A personalized first-touch email to engage passive developers who aren't actively job hunting.

Interview Scheduling

Technical Interview Invitation

An email inviting a candidate to a technical interview with details on format, duration, and how to prepare.

Decision & Offer

Offer Letter Email

A congratulatory email extending a formal job offer with key terms and the attached offer letter.

Related Templates

Security

Common Screening Mistakes

Equating AppSec with network or infrastructure security -- AppSec engineers focus specifically on code, application logic, and the software development lifecycle
Requiring only security certifications without verifying hands-on coding ability -- strong AppSec engineers must be able to read and write code
Overlooking software engineers transitioning into security -- developers who have become passionate about security often make excellent AppSec engineers

Red Flags

Cannot discuss specific vulnerabilities they have found and how they were fixed -- AppSec is a hands-on discipline
Only knows theoretical security concepts but has never used security testing tools or reviewed real code
Adversarial attitude toward developers rather than a collaborative, enabling mindset

What Good Looks Like

A strong AppSec engineer combines software engineering skills with security expertise.
They will describe threat models they have built — security bugs they have found through code review, and how they integrated security tooling into pipelines without slowing down development.
Look for someone who can influence developers positively -- the best AppSec engineers are trusted partners — not gatekeepers.

Key Tech to Listen For

OWASP Top 10
SAST/DAST tools (Semgrep, Burp Suite, Snyk)
threat modeling
OAuth/OIDC/JWT
secure SDLC and DevSecOps
penetration testing