The Opportunity...Centerfield is building and operating modern, cloud-based products across multiple business verticals and technology stacks. We are looking for an
Application Security Engineer to partner with Engineering, Product, and Security to make security an everyday part of how we build and ship software.
This role will drive a practical, developer-friendly AppSec program across teams and codebases, improving risk posture while enabling fast delivery. You will establish secure-by-default patterns, scale security testing through automation, and help Centerfield maintain an evidence-ready posture for SOC 2, HIPAA, and PCI-DSS.
Key outcomes in the first 6-12 months:- Establish a consistent AppSec operating model across engineering teams (intake, triage, remediation, exceptions, reporting).
- Increase coverage and signal quality for SAST, SCA, secrets scanning, and DAST across CI/CD.
- Improve mean-time-to-remediate for critical findings and reduce repeat vulnerabilities through root-cause fixes.
- Make threat modeling and design reviews a standard part of delivering new capabilities.
How You'll Contribute...- Build and run the AppSec program: Define standards, workflows, and SLAs for identifying, prioritizing, and remediating application vulnerabilities.
- Embed security into the SDLC: Integrate security checks into build and deployment pipelines (e.g., GitHub/Jenkins) and make results actionable for engineering teams.
- Security testing at scale: Operate and tune AppSec tooling for SAST, DAST, and SCA, and ensure teams can consistently scan code and dependencies.
- Threat modeling & design reviews: Lead threat modeling sessions and architecture reviews for new services and major changes to identify risks early.
- Secure code reviews: Partner with engineering to review high-risk changes and coach teams on secure coding patterns.
- AI security testing: Design and execute security testing for AI infrastructure and workflows, including access controls for AI agents and LLM-focused vulnerability testing (e.g., hallucination and misinformation risks, data leakage and exfiltration, prompt injection, jailbreaks, and toxicity or abuse content generation).
- Vulnerability management: Own the end-to-end lifecycle including intake, triage, prioritization, remediation guidance, verification, and root cause analysis.
- Tooling & automation: Manage and continuously improve AppSec tools and workflows (e.g., Mend.io, SonarQube, and related ecosystem). Use scripting and APIs (Python preferred) to automate repetitive tasks and reporting.
- Developer enablement: Create lightweight training, office hours, and a Security Champions model that scales across teams.
- Cross-functional partnership: Work closely with Software Engineering, DevOps, Security, and Security Operations to align detection, response, and hardening efforts.
What We're Looking For...- 7+ years of experience in software engineering and/or application security, with meaningful ownership of an AppSec program or function.
- Strong understanding of modern web application security, common attack patterns, and secure design principles.
- Experience building security into CI/CD and developer workflows, including SAST, DAST, SCA, Secrets scanning, Container and/or IaC scanning.
- Hands-on experience working with multiple stacks such as Node/Next.js, C#/.NET, Python, and PHP.
- Practical cloud and platform understanding (Centerfield is primarily AWS with some GCP), including how modern apps run on Kubernetes/EKS and ECS/Fargate.
- Strong communication skills and ability to explain security tradeoffs to both technical and non-technical audiences.
- Proven ability to lead cross-team initiatives, set standards, and drive adoption in environments with varied tooling and legacy constraints.
- Familiarity with compliance-driven environments and ability to translate requirements into engineering-friendly controls (SOC 2, HIPAA and/or PCI-DSS).
Bonus Points...- Experience with cloud security tooling and posture management tools: Jenkins. GitHub, Mend.io, SonarQube, Wiz.io.
- Experience building Security Champions programs and scalable developer education.
- Experience with threat modeling methodologies and running design review programs.
- Familiarity with bug bounty, responsible disclosure, and coordinated vulnerability disclosure processes.
- Experience supporting regulated production environments with clear separation of scopes (e.g., PCI vs. non-PCI).
- Relevant certifications (e.g., CSSLP, GWAPT, GWEB, OSWE, AWS Security Specialty) or equivalent demonstrated expertise.
Life at Centerfield... - This is ideally a hybrid position, and employees are expected to work in our Playa Vista, CA office every Tuesday, Wednesday & Thursday
- Competitive salary + semi-annual bonus
- Unlimited PTO - take a break when you need it!Industry-leading medical, dental, and vision plans + generous parental leave
- 401(k) company match plan - fully vested on day 1
- Outside patio overlooking Playa Vista + cabanas, firepits & working grills
- Monthly happy hours, catered lunches + daily food trucks
- Award-winning culture & unprecedented team spirit (featured in LA Business Journal & Built In LA)Fully stocked kitchens with snacks & drinks
- Breakroom supplied with games, couches, workout equipment + weekly in-office exercise classes hosted by professional instructors (yoga, kickboxing & circuit training)
- Free onsite gym + locker rooms
- Paid charity and volunteer days (local mentor programs, adopt a pet, beach cleanup, etc.)
- Monthly team outings (ball games, casino night, hikes, etc.)
- Career growth - we enjoy promoting from within!
#LI-CC1
#LI-Remote
AI & Interview PolicyAt Centerfield, we use AI tools internally to support efficiency and fairness in our hiring process, including resume screening and administrative tasks.
Candidates are welcome to use AI tools ethically to prepare for interviews, such as practicing responses or researching questions. However, all responses during the interview process should reflect your own knowledge, experience, and judgment.
The use of AI tools to generate responses during live interviews, technical assessments, or written submissions is not permitted unless explicitly stated otherwise.
To learn more, visit us Here.Interviews will take place after resumes have been screened for the minimum requirements. Please note that this position is not restricted solely to the responsibilities listed above and that the job scope and responsibilities are subject to change.
