Application Security Engineer

Centerfield Media
Los Angeles, United States of America
23 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior

Job location

Remote
Los Angeles, United States of America

Tech stack

.NET
PHP
API
Artificial Intelligence
Amazon Web Services (AWS)
C Sharp (Programming Language)
Cloud Computing
Cloud Computing Security
Computer Security
Continuous Integration
Information Leak Prevention
DevOps
Github
Information Security Management
Python
Node.js
PCI Data Security Standards
Systems Development Life Cycle
Next.js
Secure Coding
Web Application Security
Software Engineering
SonarQube
Software Vulnerability Management
AI Infrastructure
Scripting (Bash/Python/Go/Ruby)
Google Cloud Platform
Large Language Models
Software Security
GWAPT
Kubernetes
Amazon Web Services (AWS)
Jenkins
Static Application Security Testing
Dynamic Application Security Testing

Job description

  • Establish a consistent AppSec operating model across engineering teams (intake, triage, remediation, exceptions, reporting).
  • Increase coverage and signal quality for SAST, SCA, secrets scanning, and DAST across CI/CD.
  • Improve mean-time-to-remediate for critical findings and reduce repeat vulnerabilities through root-cause fixes.
  • Make threat modeling and design reviews a standard part of delivering new capabilities.

How You'll Contribute...

  • Build and run the AppSec program: Define standards, workflows, and SLAs for identifying, prioritizing, and remediating application vulnerabilities.
  • Embed security into the SDLC: Integrate security checks into build and deployment pipelines (e.g., GitHub/Jenkins) and make results actionable for engineering teams.
  • Security testing at scale: Operate and tune AppSec tooling for SAST, DAST, and SCA, and ensure teams can consistently scan code and dependencies.
  • Threat modeling & design reviews: Lead threat modeling sessions and architecture reviews for new services and major changes to identify risks early.
  • Secure code reviews: Partner with engineering to review high-risk changes and coach teams on secure coding patterns.
  • AI security testing: Design and execute security testing for AI infrastructure and workflows, including access controls for AI agents and LLM-focused vulnerability testing (e.g., hallucination and misinformation risks, data leakage and exfiltration, prompt injection, jailbreaks, and toxicity or abuse content generation).
  • Vulnerability management: Own the end-to-end lifecycle including intake, triage, prioritization, remediation guidance, verification, and root cause analysis.
  • Tooling & automation: Manage and continuously improve AppSec tools and workflows (e.g., Mend.io, SonarQube, and related ecosystem). Use scripting and APIs (Python preferred) to automate repetitive tasks and reporting.
  • Developer enablement: Create lightweight training, office hours, and a Security Champions model that scales across teams.
  • Cross-functional partnership: Work closely with Software Engineering, DevOps, Security, and Security Operations to align detection, response, and hardening efforts., * This is ideally a hybrid position, and employees are expected to work in our Playa Vista, CA office every Tuesday, Wednesday & Thursday
  • Competitive salary + semi-annual bonus
  • Unlimited PTO - take a break when you need it!Industry-leading medical, dental, and vision plans + generous parental leave
  • 401(k) company match plan - fully vested on day 1
  • Outside patio overlooking Playa Vista + cabanas, firepits & working grills
  • Monthly happy hours, catered lunches + daily food trucks
  • Award-winning culture & unprecedented team spirit (featured in LA Business Journal & Built In LA)Fully stocked kitchens with snacks & drinks
  • Breakroom supplied with games, couches, workout equipment + weekly in-office exercise classes hosted by professional instructors (yoga, kickboxing & circuit training)
  • Free onsite gym + locker rooms
  • Paid charity and volunteer days (local mentor programs, adopt a pet, beach cleanup, etc.)
  • Monthly team outings (ball games, casino night, hikes, etc.)
  • Career growth - we enjoy promoting from within!

#LI-CC1 #LI-Remote

AI & Interview Policy

At Centerfield, we use AI tools internally to support efficiency and fairness in our hiring process, including resume screening and administrative tasks.

Candidates are welcome to use AI tools ethically to prepare for interviews, such as practicing responses or researching questions. However, all responses during the interview process should reflect your own knowledge, experience, and judgment.

The use of AI tools to generate responses during live interviews, technical assessments, or written submissions is not permitted unless explicitly stated otherwise.

Requirements

  • 7+ years of experience in software engineering and/or application security, with meaningful ownership of an AppSec program or function.
  • Strong understanding of modern web application security, common attack patterns, and secure design principles.
  • Experience building security into CI/CD and developer workflows, including SAST, DAST, SCA, Secrets scanning, Container and/or IaC scanning.
  • Hands-on experience working with multiple stacks such as Node/Next.js, C#/.NET, Python, and PHP.
  • Practical cloud and platform understanding (Centerfield is primarily AWS with some Google Cloud Platform), including how modern apps run on Kubernetes/EKS and ECS/Fargate.
  • Strong communication skills and ability to explain security tradeoffs to both technical and non-technical audiences.
  • Proven ability to lead cross-team initiatives, set standards, and drive adoption in environments with varied tooling and legacy constraints.
  • Familiarity with compliance-driven environments and ability to translate requirements into engineering-friendly controls (SOC 2, HIPAA and/or PCI-DSS).

Bonus Points...

  • Experience with cloud security tooling and posture management tools: Jenkins. GitHub, Mend.io, SonarQube, Wiz.io.
  • Experience building Security Champions programs and scalable developer education.
  • Experience with threat modeling methodologies and running design review programs.
  • Familiarity with bug bounty, responsible disclosure, and coordinated vulnerability disclosure processes.
  • Experience supporting regulated production environments with clear separation of scopes (e.g., PCI vs. non-PCI).
  • Relevant certifications (e.g., CSSLP, GWAPT, GWEB, OSWE, AWS Security Specialty) or equivalent demonstrated expertise.

About the company

Supercharged customer acquisition. Centerfield delivers outcome-based digital marketing solutions and personalized omnichannel experiences for the world's leading brands. Powered by our proprietary Dugout platform, Centerfield acquires customers at scale for leading residential service, insurance, e-commerce, and B2B brands. Centerfield's digital experiences and digital brands, such as Business.com and BroadbandNow.com, reach more than 150 million in-market shoppers annually. Centerfield is headquartered in Silicon Beach and is proud to be recognized by Built in LA as a Best Place to Work in Los Angeles.

Apply for this position