Application Security Engineer

Application Security Engineer

NYC / Charlotte NC- 3 Days Onsite

W2 Position

Overview:

This role will be an integral component of the application security program end-to-end — from discovery and inventory of business unit applications, through tooling implementation, through embedding security and AI-assisted controls into business unit Dev Ops pipelines. This is as much a relationship and influence role as it is a technical role; success requires partnering effectively with subsidiaries. This is a hybrid on-site position, with a requirement to be in office three times per week.

What You’ll Do

• Application discovery and inventory across all business units, including ownership mapping, technology stack profiling, and risk tiering.

• Standing up and operating the App Sec tooling stack — SAST, SCA, secrets scanning, and container/IaC scanning — integrated into business unit CI/CD pipelines.

• Designing and implementing AI-assisted triage workflows on top of App Sec tooling so that finding volume does not overwhelm developers and false positives are filtered before reaching engineering teams.

• Defining secure SDLC requirements, threat modeling practices, and security gates that business units adopt as part of their standard development process.

• Partnering with business unit development leaders to build the relationships and shared playbooks needed to operationalize App Sec without becoming a blocker to delivery.

• Contributing to AI security strategy — evaluating emerging tools (AI code review assistants, agentic security testing, automated security requirement generation) and recommending what to operationalize and what to defer.

• Producing executive-ready metrics and reporting that connect App Sec activity to business risk reduction.

Required Qualifications

• 7+ years in application security, product security, or security engineering, with at least 3 years in environments with multiple independent business units, brands, or product lines.

• Hands-on experience deploying and operating modern App Sec tooling (e.g., Semgrep, Snyk, Checkmarx, Veracode, Apiiro, Ox Security, Git Hub Advanced Security).

• Working code-level proficiency in at least three commonly-used languages (e.g., Python, JavaScript/Type Script, Java, C#, Go) sufficient to read, review, and triage findings.

• Strong scripting and automation skills in Python or equivalent; comfortable building integrations against REST APIs and operating in CI/CD environments (Git Hub Actions, Git Lab CI, Jenkins, Azure Dev Ops).

• Demonstrated ability to influence engineering organizations without direct authority — negotiating standards, driving adoption, and partnering with development leaders.

• Practical understanding of OWASP Top 10, threat modeling methodologies (STRIDE, PASTA, or equivalent), and modern attack patterns including supply chain risks.

Preferred Qualifications

• Experience integrating LLM-based tooling into security workflows (alert triage, finding summarization, remediation guidance generation).

• Familiarity with one or more compliance frameworks relevant to our environment (HITRUST, HIPAA, NIST AI RMF, SOC
2).

• Prior experience working in a regulated or healthcare-adjacent environment.

• Cloud security depth in at least one major provider (AWS, Azure, Google Cloud Platform).

• Public contribution to App Sec community — OSS, conference talks, published research, or detection/rule contributions.