Application Security Engineer

Application Security Engineer

Hybrid, NYC

Contract Role

Our client’s Cybersecurity Organization is seeking an Application Security Engineer.

This role will be an integral component of the application security program end-to-end — from discovery and inventory of business unit applications, through tooling implementation, through embedding security and AI-assisted controls into business unit DevOps pipelines.

This is as much a relationship and influence role as it is a technical role; success requires partnering effectively with our client’s subsidiaries.

This is a hybrid on-site position, with a requirement to be in the NYC office three times per week.

Responsibilities:

• Application discovery and inventory across all business units, including ownership mapping, technology stack profiling, and risk tiering.
• Standing up and operating the AppSec tooling stack — SAST, SCA, secrets scanning, and container/IaC scanning — integrated into business unit CI/CD pipelines.
• Designing and implementing AI-assisted triage workflows on top of AppSec tooling so that finding volume does not overwhelm developers and false positives are filtered before reaching engineering teams.
• Defining secure SDLC requirements, threat modeling practices, and security gates that business units adopt as part of their standard development process.
• Partnering with business unit development leaders to build the relationships and shared playbooks needed to operationalize AppSec without becoming a blocker to delivery.
• Contributing to AI security strategy — evaluating emerging tools (AI code review assistants, agentic security testing, automated security requirement generation) and recommending what to operationalize and what to defer.
• Producing executive-ready metrics and reporting that connect AppSec activity to business risk reduction.

Required Qualifications:

• 7 years in application security, product security, or security engineering, with at least 3 years in environments with multiple independent business units, brands, or product lines.
• Hands-on experience deploying and operating modern AppSec tooling (e.g., Semgrep, Snyk, Checkmarx, Veracode, Apiiro, Ox Security, GitHub Advanced Security).
• Working code-level proficiency in at least three commonly-used languages (e.g., Python, JavaScript/TypeScript, Java, C#, Go) sufficient to read, review, and triage findings.
• Strong scripting and automation skills in Python or equivalent; comfortable building integrations against REST APIs and operating in CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).
• Demonstrated ability to influence engineering organizations without direct authority — negotiating standards, driving adoption, and partnering with development leaders.
• Practical understanding of OWASP Top 10, threat modeling methodologies (STRIDE, PASTA, or equivalent), and modern attack patterns including supply chain risks.

Preferred Qualifications:

• Experience integrating LLM-based tooling into security workflows (alert triage, finding summarization, remediation guidance generation).
• Familiarity with one or more compliance frameworks relevant to our environment (HITRUST, HIPAA, NIST AI RMF, SOC 2).
• Prior experience working in a regulated or healthcare-adjacent environment.
• Cloud security depth in at least one major provider (AWS, Azure, GCP).
• Public contribution to AppSec community — OSS, conference talks, published research, or detection/rule contributions.