Security Engineer

RESPONSIBILITIES

• Perform hands-on web/API penetration tests, validate scanner findings, and provide clear PoCs, impact statements, and prioritized remediation aligned with OWASP.
• Integrate and tune SAST, DAST, SCA, container, and secret-detection tools in CI/CD; define pass/fail gates and PR checklists.
• Conduct lightweight threat modeling and security design reviews for new features such as authentication, session management, and secrets handling.
• Manage the full application vulnerability lifecycle (discover → prioritize → fix → retest → close) with SLAs and metrics.
• Assist in hardening AWS and ECS/Docker workloads (IAM roles, network segmentation, image policies, logging/monitoring) and support patch hygiene across cloud, container, and endpoints.
• Participate in incident response, including exploit reproduction, log analysis, impact assessment, and lessons learned.
• Provide evidence for audits (ISO 27001, SOC 2, NIST SSDF), maintain policies and developer guidance, and support vendor/security evaluations.
• Translate findings into developer-ready tickets, publish secure-coding guidance, and partner with engineering to streamline secure delivery.
• Prototype automation, explore AI/LLM-assisted workflows to improve triage and code review, and share improvements across teams.
• Contribute to organization-wide cybersecurity training and awareness efforts.

QUALIFICATIONS

• Bachelor's degree in security engineering, information assurance, or related field.
• 2–3 years of experience in security or software engineering (internships, labs, or open-source count), preferably in regulated industries.
• Strong knowledge of web/API security issues (auth, session management, injections, SSRF, CSRF, access control) and common cloud/web misconfigurations.
• Experience with SDLC security tools (SAST/DAST/SCA/secret detection/container scanning), CI/CD workflows, and Git.
• Scripting or coding skills (Python or JavaScript/TypeScript) and ability to read backend code.
• Familiarity with AWS security basics (IAM least privilege, KMS, logging/monitoring, security groups) and Docker/ECS runtime considerations.
• Clear communication skills with the ability to translate risk into actionable remediation.
• Experience using AI/LLM-assisted tools for triage, documentation, or code review preferred. 
• Exposure to WAF/CDN tuning, API protection, and risk-based remediation SLAs/metrics preferred. 
• Familiarity with frameworks like OWASP ASVS/SAMM, NIST SSDF, ISO 27001, SOC 2, PCI DSS preferred. 
• Relevant security certifications preferred.