Senior Application Security Engineer to join our Product & Application Security team protecting applications across development teams. This role combines hands-on security testing with strategic partnership - you will conduct security assessments, perform threat modeling, and work directly with developers to build security into products from the start.
You will support security activities ranging from SAST/DAST analysis to API security testing, collaborate with our Security Champions to scale secure development practices, and contribute to the maturation of our Secure Software Development Lifecycle (SSDLC).
This position reports to the Senior Manager of Product & Application Security and operates within a team that prioritizes partnership over enforcement, using OWASP SAMM as our operational framework.
In this role, you will be responsible for...
Security Assessments & Testing
• Conduct security architecture reviews and threat modeling sessions with development teams using STRIDE methodology
• Perform application security assessments across 20+ security verification service offerings including SAST/DAST analysis, manual code review, API security testing, authentication/authorization testing, and vulnerability validation
• Execute hands-on security testing of web applications, APIs, mobile applications, and cloud-native services
• Analyze and validate security findings from automated tools (GitHub Advanced Security, Synack, Tenable, AquaSec) and provide actionable remediation guidance
• Support penetration testing engagements and coordinate with third-party security assessment vendors (Synack ST+)
Security Engineering & Automation
• Build and maintain security verification tooling, scripts, and automation to improve assessment efficiency and coverage
• Develop custom security testing scripts and proof-of-concept exploits to validate vulnerabilities
• Contribute to security tooling integration within CI/CD pipelines (GitHub Actions, GHAS CodeQL, secret scanning)
• Create reusable security patterns, code snippets, and reference implementations for common security controls
Developer Partnership & Enablement
• Partner with Security Champions across 36 development teams to provide security design guidance and implementation support
• Deliver security training and enablement sessions on secure coding practices, common vulnerabilities, and threat modeling
• Provide just-in-time security guidance during sprint planning, design reviews, and code reviews
• Translate security findings into developer-friendly remediation guidance with code examples and implementation patterns
• Support Security Champions with security questions, design reviews, and knowledge sharing
SSDLC & Program Development
• Contribute to SSDLC policy development and security requirements documentation grounded in OWASP SAMM practices
• Define and refine security verification service offerings based on application risk profiles
• Support the standardization of security assessment intake, execution, and reporting processes via ServiceNow
• Maintain security verification documentation including testing methodologies, checklists, and runbooks
• Track and report on security assessment metrics including coverage, finding severity distribution, and remediation timelines
What You Will Need to Succeed
• 5 to 7+ years of experience in application security, software security engineering, or related roles
• Hands-on experience conducting security assessments including code review, penetration testing, or vulnerability analysis
• Demonstrated ability to threat model applications and identify security design flaws
• Proficiency with application security testing tools and methodologies
• Strong understanding of at least one programming language and web application architecture
• Experience working directly with development teams to remediate security findings
Preferred
• GIAC Web Application Penetration Tester (GWAPT), Offensive Security Certified Professional (OSCP), or Certified Application Security Engineer (CASE) certification
• Experience with GitHub Advanced Security (GHAS) including CodeQL, Dependabot, and secret scanning
• Background in software development or DevOps with a transition to security
• Familiarity with OWASP SAMM, BSIMM, or similar secure development maturity frameworks
• Experience operating a Security Champions program or developer security enablement initiative
• Prior work in regulated industries (healthcare, financial services, government)
• Contributions to open source security tools or vulnerability research
• Strong understanding of common web application vulnerabilities (OWASP Top 10, SANS Top 25) and secure coding practices
• Practical experience conducting security assessments including SAST/DAST analysis, manual code review, and penetration testing
• Proficiency with application security testing tools (Burp Suite, OWASP ZAP, or similar)
• Solid understanding of at least two programming languages (Python, Java, C#, JavaScript, Go) sufficient to review code for security issues
• Experience with API security testing (REST, GraphQL, SOAP) and authentication/authorization mechanisms (OAuth, SAML, JWT)
• Working knowledge of CI/CD security integration and tools like GitHub Advanced Security, SonarQube, or Snyk
Security Knowledge
• Strong grasp of threat modeling methodologies (STRIDE preferred) and risk assessment
• Understanding of secure architecture principles and security design patterns
• Familiarity with cloud security fundamentals (AWS, Azure, or GCP)
• Knowledge of vulnerability scoring systems (CVSS, EPSS) and prioritization frameworks
• Awareness of compliance requirements (SOC 2, GDPR, HIPAA) and how they apply to application security
Collaboration & Communication
• Ability to communicate complex security issues clearly to both technical and non-technical audiences
• Skill in building trust and partnerships with development teams rather than acting as a gatekeeper
• Comfort working in a fast-paced agile environment where security must enable delivery
• Experience mentoring or enabling developers on security topics
• Track record of translating security findings into practical, actionable remediation guidance
What you can expect from us:
Base annual salary target: $120000 - $150000 (yes, we do have flexibility if needed)
• Opportunity for annual cash bonus
• Health / Dental / Vision Benefits Day-One
• 5% matching 401k
• Additional benefits including but not limited to financial support, pet insurance, mental health resources, volunteer paid days off, employee stock program, foundation donation matching, and much more!
What Success Looks Like
First 90 Days
• Complete security assessment training and shadow senior team members on 3-5 assessments across different service types
• Conduct your first independent security assessment from intake through finding delivery and remediation support
• Build relationships with Security Champions across 5-10 development teams
• Contribute to at least one security verification service documentation or process improvement
First Year
• Execute 20+ security assessments across the full range of security verification services
• Lead threat modeling sessions for 10+ applications or major features
• Deliver security training or enablement sessions to at least 5 development teams
• Build at least two security automation tools, scripts, or integrations that improve assessment efficiency
• Achieve
• Contribute meaningfully to SSDLC policy development and security requirements documentation
Ongoing Excellence
• Serve as a trusted security partner to development teams, known for practical guidance and enabling delivery
• Continuously expand security verification service offerings based on emerging threats and technology adoption
• Mentor junior team members and Security Champions on security assessment techniques
• Contribute to the maturation of IDEXX's application security program aligned with OWASP SAMM practices
• Identify and drive automation opportunities that increase security coverage without requiring proportional headcount growth
• Support board-level reporting by maintaining accurate metrics on application security posture, assessment coverage, and vulnerability trends
