Application Security Engineer

We are seeking a remote, full-time Senior Application Security Engineer with 5+ years of experience to help strengthen the security posture of the software platforms. This role will be responsible for reviewing application code, identifying security vulnerabilities, and working closely with development teams to ensure secure coding practices are followed throughout the software development lifecycle.

The ideal candidate will have strong experience in application penetration testing, fraud detection and analysis, and secure software development practices. This individual will play a key role in proactively identifying risks in PHP, Python, and Angular applications, while also educating development teams on secure coding standards and best practices.

Our client provides integrated software and marketing solutions for the hospitality industry, specializing in short-term rental management. Their platform provides vacation rental companies with an enterprise-class property management system integrating booking, guest communications, and financial reporting systems - all built with partner organization integrations in mind.

Responsibilities:

• Conduct regular security assessments, code reviews, and penetration testing to identify vulnerabilities in applications and software, including manual and automated code reviews for applications written in PHP, Python, and Angular
• Analyze applications for common vulnerabilities such as those identified in the OWASP Top 10, including risks related to authentication, authorization, data validation, and session management
• Conduct application penetration testing and vulnerability assessments on web applications and APIs, simulating real-world attack scenarios to uncover security weaknesses and documenting findings with recommended mitigation strategies
• Conduct threat modeling and risk assessments to proactively identify potential risks and develop mitigation strategies
• Track, analyze, and manage vulnerabilities in applications while providing guidance and support for remediation efforts
• Analyze application behavior and transaction patterns to detect potential fraud or abuse scenarios and identify vulnerabilities that could enable account takeover, payment fraud, or data manipulation
• Partner with engineering and product teams to design controls that reduce fraud risk.
• Work closely with development teams to ensure security best practices are integrated throughout the software development lifecycle (SDLC), including developing secure coding guidelines, delivering secure coding training, and providing guidance during design and architecture reviews
• Design, develop, and implement security tools, frameworks, and methodologies to protect applications against security threats, including integrating and maintaining security testing tools such as SAST, DAST, and dependency scanning within CI/CD pipelines
• Assist in investigating, analyzing, and responding to security incidents related to applications, ensuring timely resolution and documentation of incidents
• Track vulnerabilities and remediation progress through internal ticketing systems while collaborating with engineering, DevOps, and product teams to improve the overall application security posture and assist in developing internal security policies and procedures

Required Experience:

• Excellent English communication skills
• 5+ years of experience in application security, penetration testing, or secure software development
• Strong understanding of web application security principles and the OWASP Top 10
• Experience reviewing code in PHP, Python, and modern JavaScript frameworks such as Angular
• Experience performing application penetration testing and vulnerability assessments
• Knowledge of authentication, authorization, encryption, and secure session management
• Experience identifying and mitigating fraud or abuse patterns in applications
• Familiarity with common security testing tools (e.g., Burp Suite, OWASP ZAP, Snyk, SonarQube, etc.)
• Strong communication skills and the ability to explain security issues to non-security engineers

Desired Experience:

• University degree or relevant industry experience
• Experience integrating security testing into CI/CD pipelines
• Familiarity with cloud security principles
• Experience with secure architecture reviews
• Relevant certifications such as OSCP, CEH, GWAPT, or CSSLP
• Experience working in agile development environments

Additional Information:

• Knowing your ideas are heard and matter, think big!
• You get to own your job and be recognized for your contributions
• Work with smart and creative people
• Making mistakes is human. Let's learn from them. Be transparent!
• We recognize you as an individual, with no presumptions or judgment. Be the extraordinary you!
• 15 days Paid Time Off (PTO), 1 floating day, 3 sick days, and designated national holidays
• Start: ASAP

About Velozient:

We are a privately held, nearshore software development company providing outsourced development resources to North American companies. Our mission is to offer development talent that enjoy taking on challenging work, want to grow their skills and experiences building software, and excel in a fast-paced, dynamic team environment. We are focused on providing world-class remote resources to work as valued client team members. If this type of opportunity excites you, then consider joining our team!