Description:
This role focuses on identifying, analyzing, and mitigating application security vulnerabilities throughout the SDLC. It supports a broader “Shift Left” cybersecurity strategy, ensuring security is integrated early in development and reinforced through DevSecOps practices.
Application Security & Testing
- Perform security testing: SAST, DAST, IAST, mobile security, and dynamic testing
- Analyze vulnerabilities and recommend secure coding fixes
- Demonstrate vulnerabilities to development teams
- Drive remediation efforts to closure
DevSecOps & Tooling
- Work within CI/CD pipelines using tools such as:
- Jenkins, GitLab, GitHub Actions, TeamCity
- Checkmarx, GitHub Advanced Security, Burp Suite
- Integrate security controls into development workflows
WAF & Security Controls
- Lead Web Application Firewall (WAF) deployment for new and existing apps
- Implement application security policies, controls, and standards
Collaboration & Enablement
- Partner with development, platform, and supplier teams
- Provide clear remediation guidance
- Train teams on secure coding and application security practices
- Develop training materials
Assessment & Reporting
- Conduct security assessments using standard tools
- Track and report:
- Risks
- Milestones
- Deliverables
- Status updates
- Recommend strategies based on application risk posture
This role is based in Auburn Hills, MI and is required to be on-site in our HQ building 5 days per week.
Requirements:
Bachelor's degree in Computer Science, Information Technology, or related field
3+ years of hands-on experience in application security, security testing, and DevSecOps
Strong understanding of:
- Application architectures (web, mobile, APIs)
- Software development methodologies (Agile, SDLC)
- Modern programming languages (Java, C#, Python)
Experience performing and interpreting results from:
- SAST, DAST, IAST, SCA, and mobile security testing tools
Hands-on experience with secure code review in common languages (Java, C#, Python preferred)
Prior background in application development, including:
- Compiled code
- Web applications / services
- Mobile app development
Knowledge of security frameworks and standards:
- NIST, ISO 27001
- NIST SSDF or similar secure development frameworks
Strong understanding of:
- OWASP Top 10 vulnerabilities and mitigation techniques
- Common attack vectors (web exploits, DDoS, bot attacks)
Experience with WAF technologies:
- Akamai, Cloudflare, AWS WAF, Azure Front Door
Familiarity with cloud platforms and modern environments:
- AWS, Azure, GCP
- Containers (Docker, Kubernetes)
Working knowledge of:
- Programming/scripting: Java, JavaScript, SQL, HTML
- Scripting languages (Python, Bash preferred)
Strong analytical, problem-solving, and communication skills
- Ability to explain technical risks to non-technical audiences
- Experience writing security reports and documentation
Ability to work independently and cross-functionally
- Industry certifications:
- GIAC GWEB
- ISC2 CSSLP
- EC-Council CASE
- Or equivalent AppSec certifications