Application Security Engineer

Overview

Permanent, full-time, hybrid

Connecting clients to markets – and talent to opportunity.

With 4,500 employees and over 300,000 commercial, institutional, payments, and retail clients, we operate from more than 70 offices spread across six continents. As a Fortune 100, Nasdaq-listed provider, we connect clients to the global markets – focusing on innovation, human connection, and providing world-class products and services to all types of investors.

Whether you want to forge a career connecting our retail clients to potential trading opportunities, or ingrain yourself in the world of institutional investing, StoneX Group is made up of four business segments that offer endless potential for progression and growth.

Engage in a deep variety of business-critical activities that keep our company running efficiently. From strategic marketing and financial management to human resources and operational oversight, you’ll have the opportunity to optimize processes and implement game-changing policies.

Corporate: Engage in a deep variety of business-critical activities that keep our company running efficiently. From strategic marketing and financial management to human resources and operational oversight, you’ll have the opportunity to optimize processes and implement game-changing policies.

Responsibilities

Position purpose: The Application Security Engineer role at StoneX is a hands-on position focused on securing applications across the SDLC while managing and tuning Cloudflare’s edge security features, including WAF, Zero Trust, bot management, and API protections. The engineer will work closely with development teams to embed secure coding practices, conduct threat modeling, integrate and manage tools like SAST, DAST, and SCA in CI/CD pipelines, and support manual assessments such as bug bounties and penetration testing.

The ideal candidate has at least 5 years of AppSec experience, strong expertise in Cloudflare security products, and a solid understanding of secure development practices. Experience with languages like Java, C#, JavaScript, or Python, as well as tools like GitHub Actions, Veracode, Burp Suite, and Snyk is highly valuable. A background in cloud environments (AWS, GitHub, or Azure) and relevant certifications (Security , CEH, or Cloudflare) are preferred. The role is designed for someone who can lead technical efforts, partner with cross-functional teams, and help scale and mature the organization’s application security program.

Responsibilities:

• Own and manage application-layer protections in Cloudflare, including WAF rules, API security, bot mitigation, and traffic controls.
• Review and enhance Cloudflare configurations to protect against emerging threats and align with business needs.
• Drive application security across the SDLC through collaboration with dev teams, threat modeling, code reviews, and education.
• Integrate and manage SAST, DAST, and SCA tools into CI/CD workflows to catch issues early and at scale.
• Participate in and support manual security assessments, bug bounty validation, and pen-testing efforts.
• Develop and refine internal policies, secure coding standards, and AppSec best practices.
• Analyze vulnerabilities for exploitability and impact, coordinate remediation plans, and track resolution.
• Help scale the AppSec program by improving visibility, coverage, and developer engagement.
• This list of duties and responsibilities is not intended to be all-inclusive and can be expanded to include other duties or responsibilities that management deems necessary.
  
  
  

Technology Ecosystem:

• Languages/Stacks: Java, C#, JavaScript, Python
• Security Testing: SAST, DAST, SCA, manual code review, penetration testing
• Edge Security: Cloudflare WAF, Zero Trust, Bot Management, Rate Limiting
• Cloud & CI/CD: GitHub Actions, Azure DevOps, AWS
• Processes: Secure SDLC, threat modeling, bug bounty, vulnerability management
  
  
  

Qualifications

Required:

• 5 years of experience in Application Security
• Experience with Cloudflare WAF and related products (e.g., WAF configurations, bot management, access controls)
• Strong understanding of secure coding practices, authentication, and access control
• Familiarity with tools such as Burp Suite, Veracode, GHAS, Snyk, or similar
• Experience working with CI/CD pipelines and development teams to shift security left
  
  
  

Preferred:

• Hands-on development background (Java, C#, Python, or JavaScript)
• Knowledge of bug bounty operations, OWASP Top 10, and modern web security risks
• Experience with threat modeling methodologies and risk-based vulnerability triage
• Cloud knowledge (AWS, Azure) is a plus
  
  
  

Education / Certifications:

• Bachelor’s degree in Computer Science, Cybersecurity, or related field
• Certifications such as Security , CEH, or cloudflare related certifications are a plus
  
  
  

Hiring Salary Range $90,000.00 - $120,000.00 per year to be determined by the education, experience, knowledge, skills and abilities of the applicant, internal equity and alignment with market data). Subject to business performance and recommendations of management, this role may be eligible to participate in an incentive compensation plan. This compensation package, in addition to a full range of medical, financial, and/or other benefits, dependent on the position, is offered.