Senior Application Security Engineer

IDEXX’s cybersecurity and information security teams build resilient, adaptive, and secure enterprise capabilities that enable product and solution delivery to customers worldwide.

• Security Assessments & Testing – Conduct security architecture reviews and threat‑modeling sessions with development teams using the STRIDE methodology. Perform application security assessments across our security verification service offerings, including SAST/DAST analysis, manual code review, API security testing, authentication/authorization testing, and vulnerability validation. Execute hands‑on security testing of applications, APIs, mobile applications, agentic solutions, and cloud‑native services. Analyze and validate security findings from automated security tools and provide actionable remediation guidance.
• Security Engineering & Automation – Build and maintain security verification tooling, scripts, and automation to improve assessment efficiency and coverage. Develop custom security testing scripts and proof‑of‑concept exploits to validate vulnerabilities. Contribute to security tooling integration within CI/CD pipelines. Create reusable security patterns, code snippets, and reference implementations for common security controls.
• Developer Partnership & Enablement – Contribute to security training and enablement sessions on secure coding practices, common vulnerabilities, and threat modeling. Provide just‑in‑time security guidance during sprint planning, design reviews, and code reviews as requested. Translate security findings into developer‑friendly remediation guidance with code examples and implementation patterns.
• SSDLC & Program Development – Contribute to SSDLC policy development and security requirements documentation grounded in OWASP SAMM practices. Guide the evolution of the SSDLC to address emerging risks and controls introduced by AI‑assisted development. Support the standardization of security assessment intake, execution, and reporting processes via Service Now. Maintain security verification documentation, including testing methodologies, checklists, and runbooks. Track and report on security assessment metrics including coverage, finding severity distribution, and remediation timelines.

• 4‑6 years of hands‑on experience in application security with demonstrable technical skills.
• Strong grasp of threat‑modeling methodologies (STRIDE preferred) and risk assessment.
• Strong understanding of common web application vulnerabilities (OWASP Top
  10, SANS Top
  25) and secure coding practices.
• Practical experience conducting security assessments, including SAST/DAST analysis, manual code review, and penetration testing.
• Proficiency with application security testing tools.
• Solid understanding of at least two programming languages sufficient to review code for security issues.
• Experience with API security testing (REST, Graph
  
  QL, SOAP) and authentication/authorization mechanisms (OAuth, SAML, JWT).
• Working knowledge of CI/CD security integration and tools such as Git Hub Advanced Security, Sonar Qube, or Snyk.
• Understanding of secure architecture principles and security design patterns.
• Familiarity with cloud security fundamentals (AWS, Azure, or GCP).
• Knowledge of vulnerability scoring systems (CVSS, EPSS) and prioritization frameworks.
• Awareness of compliance requirements (SOC2, GDPR, HIPAA, CRA) and how they apply to application security.
• Ability to communicate complex security issues clearly to both technical and non‑technical audiences.
• Skill in building trust and partnerships with development teams rather than acting as a gatekeeper.
• Comfort working in a fast‑paced agile environment where security must enable delivery.
• Experience mentoring or enabling developers on security topics.
• Track record of translating security findings into practical, actionable remediation guidance.

• GIAC Web Application Penetration Tester (GWAPT), Offensive Security Certified Professional (OSCP), or Certified Application Security Engineer (CASE) certification.
• Background in software development or Dev Ops with a transition to security.
• Familiarity with OWASP SAMM, BSIMM, or similar secure…