The Senior Application Security Engineer will serve as a technical leader and owner of company application security capabilities. This role is responsible for implementing and operating secure software development practices across the enterprise, with a strong focus on static and dynamic code analysis, DevSecOps integration, AI-related code risk, and risk-based vulnerability management.
We are looking for an experienced practitioner who can operate independently, take ownership of outcomes, and partner effectively with engineering, architecture, and risk teams to deliver practical, scalable security solutions.

The ideal candidate will live within driving distance of the Omaha, Nebraska office. This position allows remote flexibility but will have 1 day per week in the office.  

If living in one of our approved states (Florida, Iowa, Kansas, Minnesota, Missouri, Nebraska, North Dakota, and Texas)  – this person may travel to our headquarters based on business needs.

What you'll do:

• Own and operate application security tooling, including SAST, DAST, and software composition analysis, ensuring tools are tuned, effective, and aligned to business risk.

• Embed application security into CI/CD pipelines and development workflows to support shift‑left security while minimizing developer friction.

• Perform secure code reviews and validate vulnerabilities for exploitability, impact, and remediation feasibility.

• Define and maintain secure coding standards, guidance, and reusable security patterns for development teams.

• Establish guardrails and review expectations for AI‑assisted and AI‑generated code, reducing unowned and unmanaged application risk.

• Partner with development teams to triage findings, reduce false positives, and drive effective remediation.

• Apply risk‑based decision making aligned to organizational risk appetite and compliance frameworks (NIST, HIPAA, SOC 2).

• Support application threat modeling and identification of architectural security gaps.

• Collaborate with cloud, platform, and identity teams to ensure applications integrate securely with enterprise services.

• Contribute to audit readiness, evidence collection, and regulatory support related to application security controls.

• Reduce single‑points‑of‑failure by documenting processes, mentoring others, and improving program resiliency.

To be considered for this position you must have:

• Bachelor’s degree in Computer Science, Information Security, or a related field (or equivalent experience).

• 6 years of experience in application security, secure software development, or DevSecOps.

• Hands‑on experience with SAST, DAST, and dependency scanning tools, including tuning and operational ownership.

• Strong understanding of application vulnerability classes (OWASP Top 10, APIs, authentication, authorization).

• Experience integrating security into CI/CD pipelines and development workflows.

• Proven ability to assess risk, prioritize remediation, and clearly communicate decisions.

• Comfort working independently, taking ownership, and driving outcomes with minimal oversight.

• Strong communication skills with the ability to work effectively with developers, architects, and leadership.

An equivalent combination of education and experience may be substituted for this requirement. The ability to meet or exceed the attendance and timeliness requirements of their departments. On-call work may be required based on business needs and role assignment. The ability to work well in a team environment and be capable of building and maintaining positive relationships with other staff, departments, and customers.

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed are representative of the knowledge, skill, and or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. Other duties may be assigned.

The strongest candidates will also have:

• Experience in healthcare or other regulated industries.

• Familiarity with Azure PaaS and cloud‑native application architectures.

• Exposure to AI‑assisted development risks, automation, or modern code‑generation tools.

• Threat modeling experience and security design review participation.

• Scripting or automation experience (Python, PowerShell, Bash).

• Relevant certifications (CSSLP, GWAPT, CISSP, or equivalent).