Cox
Overview
The Senior Application Security Engineer will collaborate closely with Security Engineering Enablement and Security Architecture teams to develop and deliver secure software solutions. This role involves conducting secure code reviews and defining requirements on pre-release control validations including SAST, DAST, SCA, API security, and Container/IaC scans. The position focuses on providing effective remediation guidance and code examples to assist teams in addressing security issues swiftly. As part of the Center of Excellence (COE) for Application Security, Web Application Firewalls, and Cloud Security, you will advise teams on best practices through Office Hours, Brown Bags, or consultation sessions.
Key Responsibilities:
Manage and enhance our Application Security and Cloud Security tools, ensuring optimal user onboarding, policy configuration, and integration management.
Oversee the identification and resolution of vulnerabilities from various security sources, including SAST, DAST, SCA, API testing, IaC, and CSPM; lead efforts to review and suppress false positives with thorough audit trails.
Work alongside Cloud Platform teams to fortify AWS, Azure, and GCP environments using CSPM/CNAPP controls, guardrails, and established baselines, while promoting secure methodologies for serverless, containers, Kubernetes, and secret management.
Facilitate the administration and maintenance of the AppSec/CloudSec/WAF toolset including identity management, agent health checks, and disaster recovery testing.
Conduct regular evaluations of security tools to ensure alignment with the enterprise’s evolving needs.
Act as the primary point for managing Responsible Disclosure submissions by replicating reported issues, assessing their severity, assigning appropriate owners, and ensuring timely resolution.
Maintain clear communication with Responsible Disclosure reporters and internal stakeholders while upholding compliance through strict record-keeping.
Utilize scripting and automation (Python, PowerShell, Bash, REST APIs, Terraform modules, GitHub Actions/Azure DevOps/GitLab CI) to streamline processes and minimize manual workload.
Be a key stakeholder in designing Secure Pipelines for implementation by the Security Engineering Enablement team.
Minimum Qualifications:
Bachelor’s degree in a relevant discipline with at least 6 years of experience in a related field, with alternative combinations such as a Master’s degree and 4 years experience, or a Ph.D. and 1 year experience also considered.
Minimum of 2 years in Application or Product Security with strong emphasis on secure software engineering practices.
Deep understanding of modern SDLC/DevSecOps within cloud-native environments, including microservices, APIs, container orchestration, serverless architectures, and Infrastructure as Code (IaC).
Hands-on experience with SAST, DAST, SCA, API testing frameworks and expertise in operating CNAPP solutions across multiple cloud platforms.
Proficient in scripting languages (preferably Python, with PowerShell and Bash as bonuses) and REST API integrations for task automation.
Strong familiarity with security frameworks and best practices including OWASP Top 10, ASVS, SAMM, NIST SSDF, and secure design principles.
Experience managing bug bounty or Responsible Disclosure processes while coordinating remediation efforts with product teams.
Excellent communication skills, with an ability to distill complex security risks into actionable insights for engineering teams and leadership.
Acquaintance with software supply chain security concepts and runtime protection mechanisms.
A solid understanding of cloud architecture and its associated infrastructure.
Collaborate effectively with AI agents to enhance software development practices across the SDLC.
Contribute to AI-powered features within our software, promoting experimentation and sharing insights for improved tool usage.
Mentor peers and junior members on the application of AI technologies in development.
Preferred Qualifications:
Experience with WAF engineering, including policy tuning and management.
Relevant certifications such as CISSP, CSSLP, GWAPT, GCSA, or cloud security certifications from GCP, AWS, or Azure are advantageous.
Familiarity with API security issues and proactive threat response strategies is a bonus.
Salary Range: $119,600.00 - $199,400.00 per year
Compensation:
Competitive base salary accompanied by potential additional incentives based on performance and role expectations.
Benefits:
The Company promotes work-life balance by offering flexible vacation policies, paid holidays, and a total of 160 hours of paid wellness time annually. Further benefits include various forms of paid time off for personal, civic, and family responsibilities.