Sr. Application Security Engineer
Vertafore · Denver, CO · 3 wk ago
Information TechnologyFull-time
About the role
The Senior Application Security Engineer is responsible for advancing application, product, cloud, API, identity, and AI security across Vertafore's software engineering organization. This role partners directly with product, engineering, architecture, DevOps, cloud, and security teams to identify risk early, define secure design patterns, and embed scalable security controls into the software development lifecycle.
Responsibilities
- Partner with product and engineering teams to perform application security reviews, secure architecture reviews, and threat modeling for new and existing applications, services, APIs, integrations, and cloud-native workloads.
- Work with teams to understand application architecture, data flows, trust boundaries, authentication and authorization models, third-party integrations, deployment patterns, and security-relevant design decisions.
- Document application architecture from a security perspective, including key assets, identity flows, privilege boundaries, attack surfaces, sensitive data flows, control gaps, and recommended mitigations.
- Identify and prioritize application security risks across web applications, APIs, microservices, SaaS platforms, cloud services, CI/CD pipelines, infrastructure-as-code, and AI-enabled product capabilities.
- Provide hands-on guidance to engineering teams on secure coding, secure design, vulnerability remediation, secrets management, dependency risk, API security, input validation, authentication, authorization, session management, logging, and error handling.
- Support and improve secure SDLC practices, including security requirements, design review checkpoints, threat modeling, secure code review, automated scanning, developer education, exception management, and remediation tracking.
- Integrate and tune security tooling across CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, DAST, API security testing, secrets detection, and AI runtime security scanning where applicable.
- Help define and operationalize security controls for AI agents and AI-enabled product features, including guardrails, authentication, authorization, prompt tracing, model/tool interaction logging, memory controls, data leakage prevention, abuse-case testing, and runtime monitoring.
- Evaluate the secure use of AI code-assist tools and developer productivity tools, including risks related to data exposure, insecure code generation, hallucinated dependencies, licensing, secrets leakage, provenance, and secure review workflows.
- Collaborate with DevOps and platform teams to embed security controls into CI/CD workflows while minimizing developer friction and false positives.
- Review identity and access management patterns across applications and platforms, including IAM, PAM, JIT access, service accounts, least privilege, privileged workflows, role design, federation, SSO, API access, token handling, and lifecycle governance.
- Partner with cloud and infrastructure teams to review application-level cloud security controls across AWS, Azure, and related platforms.
- Support vulnerability management by validating findings, assessing exploitability and business impact, partnering on remediation plans, and escalating material risks when needed.
- Develop reusable security patterns, reference architectures, standards, guardrails, and implementation guidance for engineering teams.
- Mentor engineers and security team members on application security, cloud security, API security, AI security, threat modeling, and secure SDLC practices.
- Communicate risk clearly to technical and non-technical stakeholders, including engineering leaders, product leaders, compliance partners, and security leadership.
- Contribute to security policy, standards, compliance, and audit readiness efforts related to application security, product security, identity, cloud, AI, and SDLC controls.
- Participate in security incident response, security operations escalation, or on-call processes as required by the business.
Qualifications
- Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Software Engineering, or related field OR equivalent experience.
- 7+ years of experience in application security, product security, security engineering, software engineering with security focus, cloud security, or security architecture.
- Hands-on experience with application security reviews, threat modeling, secure SDLC practices, vulnerability management, and engineering partnership.
- Experience securing cloud-hosted applications, APIs, microservices, CI/CD pipelines, and modern software delivery environments.
- Experience with at least several of the following security tools or control areas: SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning, API security testing, WAF, CNAPP/CSPM, CI/CD security controls, SIEM/logging, or runtime application security monitoring.
- Familiarity with regulatory, compliance, or control frameworks such as SOC 2, ISO 27001, NIST CSF, NIST SSDF, OWASP ASVS, OWASP SAMM, or similar frameworks is preferred.