Application Security Engineer

This role is responsible for performing advanced product security testing to strengthen the cybersecurity posture across next‑generation vehicle and connected services platforms. As part of the Product Security Testing Team (PSTT) within the Product Cybersecurity Group (PCG), the position conducts hands‑on security assessments, penetration testing, and vulnerability research across APIs, mobile applications (iOS and Android), cloud‑hosted services, Linux systems, and wireless technologies. Responsibilities include validating security requirements against implementation, developing proof‑of‑concept exploits, reverse engineering software components, and clearly communicating security risks and remediation guidance to engineering teams. This role requires strong technical depth, an offensive security mindset, and close collaboration with cross‑functional stakeholders.

Essential Functions:

• Conduct analysis of security requirements specifications against implementation
• Perform security assessments and penetration testing including but not limited to mobile applications (iOS and Android), wireless security, APIs, cloud environments, and Linux OS
• Evaluate cloud infrastructure security across AWS, Azure, or GCP environments, including IAM policies, network segmentation, storage configurations, and serverless architectures
• Assess container and orchestration security (Docker, Kubernetes) for vehicle-connected cloud services and microservices deployments
• Review cloud-native application security controls such as API gateways, service meshes, secrets management, and logging/monitoring configurations
• Communicate complex technical findings and recommend the appropriate course of action, supporting the mitigation and re-validation efforts
• Support testing Connected Services ecosystems to identify and report security vulnerabilities and ensure compliance with security standards
• Develop and maintain security testing tools to support penetration testing and security verification activities, ensuring thorough identification of vulnerabilities
• Develop skills through continuous learning and apply what you have learned relevant to emerging attack vectors, vulnerabilities, and exploits across application and cloud domains
• Travel to clients or partners sites as needed to provide on-site support for security testing and verification activities
  

• Bachelor’s degree (or higher) in Computer Engineering, Computer Science, Cybersecurity or related is strongly desired
• Strong understanding of OWASP Top 10, SANS Top 25, and common cloud & mobile application vulnerabilities
• Hands-on experience securing cloud environments (AWS, Azure, or GCP), including identity and access management, network security groups, and cloud-native security tooling
• Foundational knowledge in security assessment on OS or application-level of iOS/Android applications
• Demonstrated ability to perform penetration testing against APIs, mobile applications (Android and iOS), and cloud infrastructure
• Familiarity with programming languages such as C/C , Java, Swift, Kotlin, and Python through practical experience
• Familiarities with network security principles and various wireless security protocols
• Knowledge of APIs security, application security, and authentication protocols such as OAuth, SAML, etc.
• Basic knowledge and understanding of X.509, SSL/TLS certificate, and general certificate management process
• Basic understanding of API security best practices
• Willingness to learn developing security tools and automation scripts to support vulnerability assessment and penetration testing
• Strong interest to acquire and develop additional skills such as Embedded systems security fundamentals
  
  Qualifications
• Demonstrates strong capability in conducting penetration testing and security assessments across applications, APIs, cloud environments, operating systems, and wireless technologies to identify, validate, and prioritize security risks
• Applies deep knowledge of application, API, and cloud security principles—including authentication, authorization, and secure architectures, to assess real‑world risk and recommend effective mitigations
• Analyzes complex systems, reverse engineers software components, and develops proof‑of‑concept exploits to understand root causes, attack paths, and potential impact
• Collaborates effectively with engineering and product teams to communicate findings, influence secure design decisions, and support remediation and re‑validation efforts
• Develops or enhances security testing tools, scripts, and automation to improve testing efficiency, consistency, and coverage
• Continuously builds knowledge of emerging attack techniques, vulnerabilities, and security trends and applies learnings to improve security testing effectiveness