Cybersecurity Application Security Engineer
Role details
Job location
Tech stack
Job description
We are seeking a highly skilled Application Security Engineer with strong experience across secure code review, penetration testing, automation, and modern SDLC practices-including emerging AI/LLM security. In this role, you will partner closely with engineering, cloud, and product teams to safeguard our applications, services, and AI-driven components from design through production. You will combine hands-on technical testing with scalable automation and developer enablement to mature our AppSec program and ensure secure, resilient applications at speed.
This position requires work in support of the Company's contract with the United States Department of Education ("ED"). As such, the United States Government requires that any applicant for this position must complete United States Government security clearance. Effective June 1, 2018, ED has informed Nelnet that security clearance applications for foreign nationals are not being accepted or processed. In light of this direction from ED, Nelnet will be unable to hire applicants without United States citizenship for such positions., * Manual Source Code Review
- SAST/DAST scanning
- Expand the Security Champions program
- Develop automated source code review processes
- Work with product teams to ensure secure SDLC processes are in place
- Provide detail vulnerability reports to businesses
Requirements
- 2-4 years of hands-on application security experience
- Experience integrating security tooling and automated checks into CI/CD pipelines
- Familiarity and experience with OWASP Top 10 and web testing methodologies
- Experience with effectively assessing and communicating risks and appropriate levels of urgency to management and engineering staff
- Experience with technical report writing and communication, * Strong manual code review experience in at least one major language (Java, JavaScript/TypeScript, C#, PHP, etc.)
- Solid threat-modeling expertise (STRIDE, attack trees, misuse cases) for both traditional systems and AI/LLM-integrated features
- Proficiency with SAST, SCA, DAST, web and mobile pentesting, container scanners, secrets-detection tools, and ideally AI-security scanning platforms
- Experience integrating security tooling and automated checks into CI/CD pipeline
- Scripting/automation skills (Python, Bash, Node) for building custom tooling and automating manual processes
- Good understanding of AI/LLM attack surfaces including prompt injection, insecure output handling, model-data leakage, and RAG vulnerabilities
- Strong knowledge of web/API security concepts (session management, secure storage, transport security)
- Excellent organizational, presentation, verbal, and written communication skills
- Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
- Aptitude for self-study, setting and achieving long term goals
- Actively seeks to remain technically current and increase expertise and abilities
- Challenges prevailing assumptions when appropriate
- Willing to adapt to changing technology and business landscapes
- Considers change as opportunities to be challenged and grow
- Ability to adapt style of communications to match audience and information sharing needs
Wants:
- Experience performing secure code reviews or building internal developer tooling.
- Previous work with AI or LLM-integrated applications , model security, or prompt safety.
- Experience with mobile security , reverse engineering, or platform-specific secure coding.
- Certifications such as OSWE, OSCP, GWAPT, GCSA, GCPN, or ML security certs (not required but beneficial).
- Ability to mentor junior developers/engineers in secure design and coding practices.
Benefits & conditions
Pay range for this role is $90,000-$125,000 annually, depending on experience.
