Senior Application Security Engineer in San Francisco

• Perform manual and tool-assisted secure code reviews across Java and C#/.NET applications
• Analyse and triage vulnerabilities in open-source libraries and frameworks (CVE analysis)
• Assess applications against OWASP Top 10 and identify exploitable security issues
• Provide developers with actionable remediation guidance and architectural recommendations
• Use AI-assisted code analysis tools to accelerate vulnerability detection and validate findings
• Support vulnerability management, risk assessments, and compensating controls such as WAF rules
• Research emerging open-source vulnerabilities and produce mitigation guidance

My client is seeking a Senior Security Engineer to join their Application Security practice. This role is ideal for a hands-on AppSec professional with a strong software development background and deep experience performing secure code reviews, analysing CVEs, and working with SAST and SCA tools in real production environments., * 5+ years in software development, application security, or both

• Hands-on experience with SAST and/or SCA tools (e.g. Checkmarx, SonarQube, Black Duck)
• Real-world experience performing CVE analysis and exploitability triage
• Strong Java proficiency (JDK 8-21, Spring, Maven/Gradle)
• Ability to review and understand complex codebases written by others
• Solid understanding of OWASP Top 10 and secure coding principles

Skills

• C#/.NET and ASP.NET Core experience
• DAST tools such as Burp Suite or OWASP ZAP
• Experience writing or validating WAF rules
• Secure SDLC, threat modelling, or security champion programmes
• Consulting or professional services background
• Cloud application security experience (AWS, Azure, or GCP)
• Certifications such as CSSLP, GWEB, GPEN, or OSCP