The Senior Application Security Engineer is responsible for advancing application, product, cloud, API, identity, and AI security across Vertafore's software engineering organization. This role partners directly with product, engineering, architecture, DevOps, cloud, and security teams to identify risk early, define secure design patterns, and embed scalable security controls into the software development lifecycle.

This role will serve as a hands-on technical security partner for application teams, helping them understand and document application architecture from a security perspective, identify trust boundaries and attack paths, and implement practical mitigations. The Senior Application Security Engineer will support secure design reviews, threat modeling, secure coding practices, vulnerability management, CI/CD security controls, API security, identity and access management patterns, and emerging AI/agentic product security capabilities.

A key focus of this position is securing AI-enabled applications and AI agents integrated into Vertafore products. This includes understanding AI agent architecture, authentication and authorization patterns, memory handling, prompt tracing, tool/plugin access, guardrails, model and runtime behavior, AI runtime scanning, and secure use of code-assist tools within engineering workflows.

The ideal candidate is a strong application security practitioner who can translate complex technical risk into actionable engineering guidance, influence teams without direct authority, and help product teams ship securely without unnecessary friction..

Core Requirements and Responsibilities:

Essential job functions included but are not limited to the following:
• Partner with product and engineering teams to perform application security reviews, secure architecture reviews, and threat modeling for new and existing applications, services, APIs, integrations, and cloud-native workloads.
• Work with teams to understand application architecture, data flows, trust boundaries, authentication and authorization models, third-party integrations, deployment patterns, and security-relevant design decisions.
• Document application architecture from a security perspective, including key assets, identity flows, privilege boundaries, attack surfaces, sensitive data flows, control gaps, and recommended mitigations.
• Identify and prioritize application security risks across web applications, APIs, microservices, SaaS platforms, cloud services, CI/CD pipelines, infrastructure-as-code, and AI-enabled product capabilities.
• Provide hands-on guidance to engineering teams on secure coding, secure design, vulnerability remediation, secrets management, dependency risk, API security, input validation, authentication, authorization, session management, logging, and error handling.
• Support and improve secure SDLC practices, including security requirements, design review checkpoints, threat modeling, secure code review, automated scanning, developer education, exception management, and remediation tracking.
• Integrate and tune security tooling across CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, DAST, API security testing, secrets detection, and AI runtime security scanning where applicable.
• Help define and operationalize security controls for AI agents and AI-enabled product features, including guardrails, authentication, authorization, prompt tracing, model/tool interaction logging, memory controls, data leakage prevention, abuse-case testing, and runtime monitoring.
• Evaluate the secure use of AI code-assist tools and developer productivity tools, including risks related to data exposure, insecure code generation, hallucinated dependencies, licensing, secrets leakage, provenance, and secure review workflows.
• Collaborate with DevOps and platform teams to embed security controls into CI/CD workflows while minimizing developer friction and false positives.
• Review identity and access management patterns across applications and platforms, including IAM, PAM, JIT access, service accounts, least privilege, privileged workflows, role design, federation, SSO, API access, token handling, and lifecycle governance.
• Partner with cloud and infrastructure teams to review application-level cloud security controls across AWS, Azure, and related platforms.
• Support vulnerability management by validating findings, assessing exploitability and business impact, partnering on remediation plans, and escalating material risks when needed.
• Develop reusable security patterns, reference architectures, standards, guardrails, and implementation guidance for engineering teams.
• Mentor engineers and security team members on application security, cloud security, API security, AI security, threat modeling, and secure SDLC practices.
• Communicate risk clearly to technical and non-technical stakeholders, including engineering leaders, product leaders, compliance partners, and security leadership.
• Contribute to security policy, standards, compliance, and audit readiness efforts related to application security, product security, identity, cloud, AI, and SDLC controls.
• Participate in security incident response, security operations escalation, or on-call processes as required by the business.

Knowledge, Skills and Abilities:
• Strong knowledge of application security principles, secure design, secure coding, web application security, API security, cloud-native application security, and secure SDLC practices.
• Strong understanding of common application and API vulnerabilities, including OWASP Top 10, OWASP API Security Top 10, authentication bypass, authorization flaws, injection, insecure deserialization, SSRF, business logic flaws, secrets exposure, and supply chain risks.
• Experience performing security architecture reviews, threat modeling, design reviews, and risk assessments for modern software systems.
• Ability to understand complex application architectures and document them from a security perspective, including data flows, trust boundaries, identity flows, external integrations, and critical control points.
• Working knowledge of AI-enabled application and AI agent security concepts, including agent components, tool use, memory, prompt handling, prompt tracing, guardrails, authentication, authorization, runtime monitoring, abuse-case testing, and data protection.
• Familiarity with AI security frameworks, patterns, or risk areas such as prompt injection, indirect prompt injection, tool misuse, excessive agency, data leakage, insecure plugin/tool access, model output handling, and agentic workflow abuse.
• Experience evaluating or securing AI code-assist tools, including secure configuration, acceptable-use guardrails, source code exposure risks, generated-code review practices, and developer workflow controls.
• Experience integrating security testing and security gates into CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, secrets scanning, DAST, API testing, and AI runtime scanning.
• Strong understanding of identity and access management concepts, including IAM, PAM, JIT access, least privilege, RBAC/ABAC, federation, SSO, MFA, privileged workflows, service identities, API tokens, and access lifecycle management.
• Experience with cloud security concepts and services across AWS and/or Azure, particularly as they relate to application workloads, identity, networking, logging, encryption, and deployment pipelines.
• Familiarity with WAF, API gateway, rate limiting, bot protection, DLP, logging/monitoring, SIEM integrations, and application-layer detective and preventive controls.
• Ability to assess vulnerabilities based on exploitability, compensating controls, business impact, and remediation complexity rather than scanner severity alone.
• Ability to influence engineering teams and product stakeholders through practical, risk-based guidance.
• Strong written and verbal communication skills, including the ability to explain security risk, tradeoffs, and recommended actions to both technical and non-technical audiences.
• Ability to create repeatable standards, patterns, playbooks, and architecture guidance that scale across multiple teams and products.
• Strong collaboration skills with engineering, architecture, DevOps, cloud, compliance, IT, identity, and security operations teams.
• Ability to work independently, manage competing priorities, and operate effectively in a remote or hybrid environment.
Skills & Requirements
Qualifications:
• Bachelor's degree in Cybersecurity, Computer Science, Information Technology, Software Engineering, or related field OR equivalent experience.
• 7+ years of experience in application security, product security, security engineering, software engineering with security focus, cloud security, or security architecture.
• Hands-on experience with application security reviews, threat modeling, secure SDLC practices, vulnerability management, and engineering partnership.
• Experience securing cloud-hosted applications, APIs, microservices, CI/CD pipelines, and modern software delivery environments.
• Experience with at least several of the following security tools or control areas: SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning, API security testing, WAF, CNAPP/CSPM, CI/CD security controls, SIEM/logging, or runtime application security monitoring.
• Experience with identity and access management patterns, including IAM, PAM, JIT access, privileged access workflows, service account governance, SSO, MFA, RBAC/ABAC, and least privilege.
• Experience or demonstrated working knowledge of AI application security, AI agents, LLM-enabled product features, AI runtime controls, AI-assisted development workflows, or secure AI adoption is strongly preferred.
• Experience working directly with software engineering teams to document architecture, identify security risks, and drive remediation through practical engineering guidance.
• Security certifications are a plus, such as CSSLP, CISSP, GWAPT, GWEB, AWS Security Specialty, CCSP, or other relevant credentials.
• Familiarity with regulatory, compliance, or control frameworks such as SOC 2, ISO 27001, NIST CSF, NIST SSDF, OWASP ASVS, OWASP SAMM, or similar frameworks is preferred.

Additional Requirements and Details:
• Travel required up to 10% of the time.
• Ability to work remote with a stable internet connection on an as needed basis
• Located and working from an office location (when required)
• Occasional lifting and/or moving up to 10 pounds.
• Frequent repetitive hand and arm movements required to operate a computer.
• Specific vision abilities required by this job include close vision (working on a computer, etc.).
• Frequent sitting and/or standing.

Is this role not an exact fit for you? Keep an eye on our for other positions!