Role Description
We are looking for a highly skilled Application Security Engineer to strengthen the security posture of our applications and platforms. This role focuses on embedding security into the Software Development Lifecycle (SDLC), proactively identifying vulnerabilities, and partnering with engineering teams to build secure-by-design systems.
The ideal candidate combines deep application security expertise with strong technical acumen, enabling secure coding practices, vulnerability management, and DevSecOps integration across modern, cloud-native architectures.
Key Responsibilities
- Integrate security practices into the SDLC and promote secure-by-design principles.
- Perform secure code reviews and identify vulnerabilities across web, mobile, and backend applications.
- Conduct threat modeling and risk assessments for new and existing features.
- Implement and manage SAST, DAST, SCA, and container security scanning tools.
- Identify, triage, and support remediation of application security vulnerabilities.
- Partner with engineering teams to provide secure coding guidance and best practices.
- Embed security checks into CI/CD pipelines to enable DevSecOps practices.
- Conduct periodic security assessments and support penetration testing exercises.
- Ensure compliance with OWASP Top 10 and other industry security standards.
- Develop security documentation, policies, and training material for developers.
- Monitor emerging threats and proactively strengthen application defenses.
Current Challenges
- Scaling application security across microservices and distributed architectures.
- Reducing vulnerability backlog and improving remediation turnaround time.
- Balancing development velocity with strong security governance.
- Integrating automated security testing into fast-paced CI/CD pipelines.
- Enhancing developer awareness and ownership of secure coding practices.
Qualifications & Experience
- 48+ years of experience in Application Security or Software Security Engineering.
- Strong understanding of web application vulnerabilities (OWASP Top 10).
- Hands-on experience with SAST, DAST, SCA tools (e.g., SonarQube, Checkmarx, Veracode, Burp Suite, etc.).
- Experience in secure code reviews for languages such as Java, .NET, Python, or JavaScript.
- Familiarity with CI/CD tools (Jenkins, GitHub Actions, Azure DevOps) and DevSecOps integration.
- Understanding of API security, authentication protocols (OAuth, JWT), and encryption standards.
- Experience with cloud security concepts (AWS/Azure/GCP).
- Knowledge of container security (Docker/Kubernetes) preferred.
- Relevant certifications such as CEH, CSSLP, GWAPT, or similar preferred.
- Bachelor's degree in Computer Science, Information Security, or related field.
Why Kimbal
At Kimbal, security is embedded into everything we build. As an AppSec Engineer, you will work at the intersection of engineering and security influencing architecture, strengthening developer practices, and ensuring robust protection of mission-critical systems. We value ownership, technical excellence, and proactive innovation in securing scalable platforms.
