Application Security Engineer

About the role

We are looking for an Application Security Engineer who lives at the intersection of security and engineering. This is not a policy role - you will be hands-on building, tuning, and scaling the security scanning infrastructure that protects our software delivery pipeline. You will own SAST, DAST, and SCA tooling end to end, drive false positive reduction, and embed security gates directly into CI/CD workflows across engineering teams. A deep understanding of how vulnerabilities actually work - not just what scanners report - is fundamental to success in this role. The Problem We're Solving We operate in a complex, regulated environment - multiple languages, layered network boundaries, and delivery velocity that cannot be sacrificed for security theater. We are building a scanning program that works in that reality. Tuned, automated, trusted - coverage that is measurable and findings that engineers actually act on. This role exists to solve that problem.

Responsibilities

• Own and operate static, dynamic, and software composition analysis scanning platforms across all engineering pipelines - onboarding new repositories, tuning rulesets, and maintaining coverage metrics
• Build and maintain CI/CD security gates that enforce scan policies at pull request, merge, and release stages across engineering workflows
• Write custom detection rules tailored to the organization's tech stack and threat model - covering vulnerability classes specific to the languages and frameworks in use
• Triage and prioritize scan findings with a deep understanding of actual exploitability - distinguish true positives from noise, explain the real-world impact of each finding, and build suppression workflows that reduce false positive rates without creating blind spots
• Develop automation to ticket, deduplicate, and route findings to the right engineering teams with enough context for developers to understand and act on them
• Integrate dynamic scanning into pre-production environments with authenticated coverage - understanding what attack surface is actually reachable versus what scanners miss
• Partner with engineering teams on remediation - provide exploit context, reproduce findings where necessary, and give concrete fix guidance grounded in how the vulnerability actually works
• Support software composition analysis and dependency security programs - tying third-party vulnerabilities back to actual reachability and exploitability in the codebase rather than treating every CVE as equal severity
• Contribute to the security champions program - help developers understand not just what is flagged but why it matters and how an attacker would use it
• Run structured evaluations of new tooling and drive buy vs build decisions with documented PoC results

Requirements

• These areas are the capabilities we are looking for. Strong candidates will not check every box. If you are strong in either of the below, we want to hear from you. Depth in one area with curiosity about other matters more than surface-level familiarity across all of them.
• 5-7 years in application security, DevSecOps, or a security engineering role with tooling focus
• Strong foundational knowledge of how web application vulnerabilities work at a technical level - injection classes, broken authentication patterns, insecure deserialization, XXE, SSRF, IDOR, race conditions, and business logic flaws - not just awareness of their names
• Ability to read a scan finding and independently reason about whether it is exploitable in context - understanding data flow, trust boundaries, and what an attacker would actually need to trigger it
• Hands-on experience deploying and tuning SAST platforms - writing or modifying rules, understanding AST-based and dataflow analysis, and knowing where static analysis fundamentally cannot reach
• Experience integrating security tooling into CI/CD pipelines and enforcing policy at key delivery gates
• Proficiency in at least one scripting language - Python or Go strongly preferred - for automation and tooling development
• Experience with DAST tooling in authenticated scan configurations - understanding what authenticated coverage requires and how session handling, CSRF tokens, and multi-step flows affect scan fidelity
• Familiarity with SCA concepts - dependency graphs, transitive vulnerabilities, license risk, reachability analysis, and SBOM formats including CycloneDX and SPDX
• Ability to read and reason about code across multiple languages
• Background that spans both sides of the SDLC - having sat in a developer role before moving into security means stronger partnerships w

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Interactive Brokers External? Share your experience