Application Security Engineer

The IT Application Security Analyst plays a key role in embedding security by design across the enterprise software development lifecycle (SDLC). This position partners closely with development, DevOps, QA, and IT Operations teams to integrate secure development frameworks, tooling, and practices that strengthen the security, resilience, and compliance of STG's applications and platforms.

The role focuses on advancing application security maturity by aligning development practices with industry standards such as NIST SSDF and OWASP ASVS, while enabling teams to deliver software securely and efficiently.

WHAT WILL YOU BE RESPONSIBLE FOR?

Secure SDLC & Governance

• Assess and continuously improve SDLC processes, tools, and release workflows from a security perspective.
• Perform gap analyses against secure-development frameworks including NIST SSDF and OWASP ASVS.
• Define, maintain, and evolve secure development standards and procedures aligned with regulatory requirements such as PCI DSS and CCPA/GDPR.
• Partner with engineering teams to recommend and implement practical security improvements across the SDLC.

Application Security Enablement

• Embed security controls across all SDLC phases, including planning, design, coding, testing, deployment, and maintenance.
• Deliver threat modeling, secure-design guidance, and application architecture reviews.
• Establish and support secure design and code-review practices, coaching developers on security best practices.
• Balance security requirements with developer experience and business requirements to reduce friction while increasing security maturity.

AppSec Tooling & Automation

• Implement, operate, and optimize application security tooling including SAST, DAST, and SCA solutions.
• Integrate security tooling (e.g., Snyk, Checkmarx) into CI/CD pipelines to enable automated vulnerability detection.
• Define and enforce security gates or holds at key points within development and release workflows.
• Ensure vulnerability findings are actionable, prioritized, and integrated into remediation processes.

Testing, Monitoring & Vulnerability Management

• Support static, dynamic, and penetration testing activities in partnership with internal and external resources.
• Integrate vulnerability management, continuous monitoring, and remediation tracking into the SDLC.
• Provide application-security support during security incidents and assist teams with investigation and remediation.

Platform & Architecture Security

• Support secure platform and environment modernization efforts, including container security, OS hardening, and secrets management (e.g., Vault, Azure Key Vault).
• Contribute to application and platform architecture improvements focused on security, stability, and resilience.

Do you have experience in Web Application Security Testing?, * 3+ years of experience in Application Security or Software Engineering with a focus on secure development practices.

• Hands-on experience implementing secure SDLC frameworks such as NIST SSDF and OWASP ASVS.
• Practical experience integrating SAST/DAST tools into CI/CD pipelines and workflows.
• Working knowledge of PCI DSS and privacy regulations (CCPA/GDPR) as they impact software development.
• Strong communication skills with the ability to influence and collaborate with engineering teams., * Experience with container security, image hardening, and secrets management technologies.
• Familiarity with the OWASP Top 10, API security, and modern application security practices.
• Experience coordinating or supporting penetration testing or DAST programs.
• Relevant certifications such as CSSLP, CISSP, GWAPT, GCSA, or similar.

Pulled from the full job description

• Tuition reimbursement
• Health insurance
• 401(k) matching
• Paid time off
• Vision insurance
• Dental insurance, * 401(k) matching
• Dental insurance
• Health insurance
• Paid time off
• Tuition reimbursement
• Vision insurance