Application Security Engineer

Company Description

Strategy (Nasdaq: MSTR) is at the forefront of transforming organizations into intelligent enterprises through data-driven innovation. We don't just follow trends—we set them and drive change. As a market leader in enterprise analytics and AI software, we've pioneered the BI and analytics space, empowering people to make better decisions and revolutionizing how businesses operate. We are now also at the forefront of AI disruption, providing data via our enterprise semantic layer to AI agents, tools, and platforms.

But that's not all. Strategy is also leading a groundbreaking shift in digital assets, adopting bitcoin as our primary treasury reserve asset in 2020. Since then, we have issued innovative bitcoin-backed securities and have been the leader in bitcoin treasury companies. This visionary move has helped us build a fortress balance sheet and is solidifying our position as a forward-thinking, innovative force in the market.

Our people are the core of our success. At Strategy, you'll join a team of smart, creative minds working on dynamic projects with cutting-edge technologies. We thrive on curiosity, innovation, and a relentless pursuit of excellence.

Our corporate values—bold, agile, engaged, impactful, and united—are the foundation of our culture. As we lead the charge into the new era of AI and financial innovation, we foster an environment where every employee's contributions are recognized and valued.

Join us and be part of an organization that lives and breathes innovation every day. At Strategy, you're not just another employee, you're a crucial part of a mission to push the boundaries of analytics and redefine financial investment.

Tysons Corner, VA – Full‑time, in person, 5 days per week at the Strategy Office.

• AI Security Governance:
  Evaluate and establish guardrails for the secure use of AI coding assistants (e.g., Copilot, Cursor, Claude) within the engineering organization, including policy development around AI‑generated code review, training data exposure risks, and prompt injection vulnerabilities in AI‑integrated applications.
• Secure SDLC Integration:
  Work closely with development teams to integrate security into the SDLC, including threat modeling, secure code reviews, and security testing.
• Vulnerability Management:
  Identify, triage, and remediate security vulnerabilities through static and dynamic application security testing (SAST/DAST) and software composition analysis (SCA) tools.
• Security Assessments & Penetration Testing:
  Conduct manual and automated penetration testing of web, mobile, and cloud applications to detect security flaws.
• Secure Code Review:
  Analyze source code using both manual review and AI‑assisted code analysis tools (e.g., Git Hub Copilot Autofix, Semgrep, or similar) to surface vulnerabilities earlier in the development cycle and deliver actionable, in‑context remediation guidance to developers.
• Threat Modeling & Risk Analysis:
  Perform threat modeling to anticipate potential attack vectors and improve security architecture.
• Dev Sec Ops  Enablement:
  Support and enhance Dev Sec Ops  initiatives by integrating AI‑assisted security automation within CI/CD pipelines, including AI‑powered SAST/DAST tools and LLM‑based code scanning to accelerate vulnerability detection at the point of commit.
• Incident Response & Remediation:
  Assist in investigating security incidents related to applications and work with engineering teams to remediate threats.
• Security Awareness & Training:
  Educate and mentor developers on OWASP Top 10, SANS 25, and other security best practices.

• Bachelor's degree in Computer Science, Engineering, or related field.
• Minimum 2 years of software development or software security experience in an agile environment.
• Hands‑on experience applying Generative AI and/or ML to security use cases—such as vulnerability triage, threat detection, or secure code review automation—and a strong drive to stay current as AI security tooling evolves.
• Hands‑on experience with SAST, DAST, IAST, and SCA tools (e.g., Checkmarx, Fortify, Veracode, Sonar Qube, Burp Suite, ZAP).
• Fluent in one or more…