Spotterful

Main Responsibilities and Required Skills for Application Security Engineer

security analyst working on computer

An Application Security Engineer is a professional who is responsible for ensuring the security of an organization's software applications. They identify and mitigate security vulnerabilities in the code, track and prioritize all security issues, and monitor for potential security breaches. In this blog post we describe the primary responsibilities and the most in-demand hard and soft skills for Application Security Engineers.

Get market insights and compare skills for other jobs here.

Main Responsibilities of Application Security Engineer

The following list describes the typical responsibilities of an Application Security Engineer:

Analyze

  • Analyze, assess, and respond to various internet threats.

  • Analyze threats and vulnerabilities to determine security impact.

Assess

Assess the security of core platform infrastructure.

Assist in

  • Assist as required with specialist knowledge during security investigations.

  • Assist Development and QA Teams to set up static testing tools.

  • Assist development teams implementing secure SDLC practices.

  • Assist in building out our product security knowledge base.

  • Assist in formalizing and updating security policies, procedures and technical standards.

  • Assist in security auditing, networking, endpoint, application, and other security areas when needed.

  • Assist with Development teams to ensure secure architecture.

Attend

  • Attend daily stand-ups and communicate to higher-level stakeholders on project momentum.

  • Attend the daily stand ups to ensure that product features have security 'built in'.

Audit

  • Audit and tune threat models.

  • Audit code for security flaws and best practices.

Automate

  • Automate application security testing techniques and tools including, but not limited to.

  • Automate existing processes (scripts, tooling).

Build

  • Build and facilitate application security trainings for topics including.

  • Build, automate, and operate security testing capabilities.

  • Build a world-class engineering team while creating and implementing scalable software solutions.

  • Build internal security tools that help fix security problems at scale.

  • Build technologies to detect and prevent security vulnerabilities.

  • Build the security development training program to train developers on secure coding practices.

  • Build tools and integrate scanners for static and dynamic analysis.

Carry out

Carry out dynamic and manual security testing on APIs, web, and mobile applications.

Clean

Clean, confident, clear data combined with the insights of the team is what drives our decisions.

Coach

Coach and train developers on best security practices.

Code

Code review practice, functional and quality focus.

Collaborate with

  • Collaborate frequently with different engineering teams to identify and address security issues.

  • Collaborate with lead developers across the enterprise.

Collect

Collect and analyze application security metrics to effectively report on our security posture.

Communicate

Communicate concerns or potential risk to client leadership.

Conduct

  • Conduct initial security design review of proposed infrastructure.

  • Conduct internal penetration testing coordinating with external auditors.

  • Conduct Penetration testing against applications and infrastructure components (included cloud).

  • Conduct regular security assessments.

  • Conduct regular security assessments and code reviews.

  • Conduct routine status calls and project status reporting.

Configure

Configure systems to comply with industry best practices and hardening standards.

Coordinate

Coordinate with product, engineering and other departments to support secure outcomes.

Create

  • Create and deliver training content when necessary.

  • Create and maintain application security best practices.

  • Create documentation as part of the company's project lifecycle.

  • Create documentation including test cases and findings reports for POCs.

  • Create services, tools and process to manage the security of our applications.

Define

  • Define and document application security requirements.

  • Define secure mechanisms for critical business functions in cloud environments.

Describe

Describe business impact of identified vulnerabilities to engineering and management.

Design

Design and content team collaboration experience.

Develop

  • Develop and automate security tools and process.

  • Develop and deliver application security training to our engineering teams.

  • Develop automation and processes to identify security flaws in code.

  • Develop, implement, and communicate vulnerability mitigation strategies to development teams.

  • Develop new automation and tooling to improve our detection and prevention capabilities.

  • Develop secure code practices and provide hands-on training to developers and quality engineers.

  • Develop security-testing plans and integrate into the software development lifecycle.

  • Develop solution architectures to support the implementation of new technologies.

Direct

Direct the optimization of a DevOps CI / CD pipeline to produce secure code.

Document

Document security standards and reports.

Drive

  • Drive awareness and education around secure coding practices.

  • Drive the Application Security Architecture and tooling.

  • Drive the Threat modeling.

Educate

Educate developers on secure coding techniques and security best practices.

Enable

Enable other engineering teams to find flaws before they are introduced into production.

Enforce

Enforce compliance of Privacy and data usage policies.

Ensure

Ensure security policies are up-to-date.

Evaluate

  • Evaluate and manage third party risk to Duo products and customers.

  • Evaluate application security tools for internal consumption.

  • Evaluate, architect, implement, and support security-focused tools and services.

  • Evaluate incoming technical requests between the client Security and client Infrastructure teams.

Explain

Explain and interprets the vulnerability report items to development staff.

Exposure

Exposure to Kubernetes, Infrastructure as a code, Terraform and DevOps pipeline.

Facilitate

  • Facilitate communication between teams to maintain task momentum.

  • Facilitate third party penetration tests and perform vulnerability management.

Give

Give security presentations and represent Okta in private or public venues.

Handle

Handle customer related questions and concerns around application security, vulnerabilities and bugs.

Help

  • Help engineers design more secure applications via design input and code review.

  • Help evolve application security functions and services.

  • Help integrate application security testing into our CI / CD pipeline.

  • Help maintain custom tooling and documentation used by the application security team.

  • Help maintain engineering infrastructure systems used by the application security team.

Identify

  • Identify and remediate weaknesses in our processes and procedures.

  • Identify automation and configuration management processes to optimize global scanning operations.

  • Identify risks and areas of exposure in applications, our development process and architecture.

  • Identify risks to the project and follow through with all involved to mitigate issues.

  • Identify security exposures and develop mitigation plans.

Impact

Impact the product design by providing secure design patterns.

Implement

  • Implement and configure security controls related to application security and infrastructure.

  • Implement cloud security controls in AWS and help automate security processes when appropriate.

Improve

  • Improve and drive application security monitoring.

  • Improve security controls and processes related to SDLC and CI / CD pipelines.

Integrate

Integrate security into the CI / CD pipeline.

Interact with

Interact directly with the security community regarding vulnerabilities and threats.

Lead

  • Lead and manage our bug bounty program.

  • Lead application security testing efforts.

  • Lead Architecture and Planning for security efforts.

  • Lead bug intake and remediation process.

  • Lead our application security reviews and threat modeling, including code review and dynamic testing.

  • Lead security tooling adoption.

  • Lead the remediation of application vulnerability scanning and penetration testing.

Liaise with

  • Liaise with IT colleagues to assist with implementation and rollout of platform security tools.

  • Liaise with vendors and follow products used by Mastercard, from inception to decommission.

Maintain

  • Maintain an expert level understanding of attacks, vectors and emergent threats.

  • Maintain awareness of cyber trends, threats, and vulnerabilities.

  • Maintain, validate, and communicate the products' threat model, security properties, and trust model.

Manage

Manage security integration into the SDLC process.

Meet

Meet / exceeds Amazon's functional / technical depth and complexity for this role.

Mentor

Mentor other engineers in your areas of expertise.

Monitor

  • Monitor industry trends and threat landscape and recommend necessary controls or countermeasures.

  • Monitor trends, evolving risks and potential countermeasures.

Oversee

  • Oversee and maintain their Application Security endeavors.

  • Oversee development of security components throughout all stages of the SDLC.

Own

Own and document medium / large security-related epics and follow through until completion.

Participate in

  • Participate / assist in review of internal and external auditor findings and recommendations.

  • Participate in Agile delivery models with several product enablement teams.

  • Participate in application security testing efforts.

  • Participate in application vulnerability scanning and penetration testing.

  • Participate in development of security policies, standards, and processes.

  • Participate in incident handling and perform application-related forensics activities.

  • Participate in our incident response and vulnerability remediation efforts.

  • Participate in pen testing activities and help the teams mitigate vulnerabilities.

  • Participate in scoping engagements and report delivery.

  • Participate in the grooming of the SDL on an annual basis or when needed.

  • Participate in the incident response process.

  • Participate in threat modelling and design review activities.

Perform

  • Perform application security design reviews against new products and services.

  • Perform application security vulnerability management.

  • Perform as part of our Crisis Management team.

  • Perform code review and drive remediation of discovered issues.

  • Perform code reviews (manual and SAST code audits).

  • Perform continuous code audits.

  • Perform design reviews and Threat modeling of Thought Machine services and products.

  • Perform design reviews and threat modeling of web and mobile applications.

  • Perform design reviews and Threat modelling of Thought Machine services and products.

  • Perform hands-on security threat modeling, risk assessment, and vulnerability remediation.

  • Perform manual and automated security testing.

  • Perform ongoing R&D efforts to stay abreast with security technology.

  • Perform / oversee security testing and manage remediation of identified vulnerabilities.

  • Perform penetration testing and code reviews of web and mobile applications.

  • Perform Penetration Tests on new features and on the platform as a whole.

  • Perform security code reviews including secure library assessment.

  • Perform security event analysis and incident response.

  • Perform security functional testing as needed and validate pen-test findings.

  • Perform security monitoring, threat analysis, and lead the incident response process.

  • Perform source code reviews of our projects.

  • Perform threat modelling and provide threat intelligence to product and development teams.

  • Perform vulnerability assessments and security testing.

  • Perform Web Application penetration testing.

  • Perform web application vulnerability assessments and penetration tests.

Prioritize

Prioritize using a risk-based approach.

Produce

Produce production web scale grade application security design.

Provide

  • Provide expert insight and guidance related to secure application design, build and architecture.

  • Provide guidelines and best practices for fixing identified vulnerabilities.

  • Provide hands-on remediation guidance to development teams.

  • Provide highly technical and consultative security guidance to Development teams.

  • Provide ongoing knowledge transfer and training of scanning capabilities via quarterly demos.

  • Provide recommendations for hardening applications and environments.

  • Provide remediation guidance to respective development teams.

  • Provide security and compliance requirements for software development projects.

  • Provide security expertise and guidance to engineering and business teams.

  • Provide security guidance on a constant stream of new products and technologies.

Read

Read and write multiple programming languages.

Research

Research new threats, attack vectors, and risks.

Review

  • Review and analyze application scans to provide timely reports to requestors.

  • Review and model architectures and usage patterns for HSM consumption.

  • Review and produce data privacy and financial regulatory functional and nonfunctional designs.

Secure

  • Secure coding best practices.

  • Secure configuration and implementation guidance for various technologies including.

Setup

Setup and maintain measurement processes.

Standardize

Standardize and streamline data infrastructure with a single platform.

Support

  • Support application security reviews and threat modeling.

  • Support code reviews across all code platforms.

  • Support corporate security and management of security tooling and platforms.

Take

Take a leadership role in driving internal security and privacy initiatives.

Track

Track and prioritize all security issues.

Train

Train developers on secure coding practices and share industry best practices.

Work

  • Work closely with Development teams to understand and address code analysis results.

  • Work closely with Engineering teams on Design Reviews for new features or major changes.

  • Work solo and collaboratively to deliver projects on a deadline.

  • Work with developers to ensure applications meet security requirements.

  • Work with engineering teams in the design phase of new products and features.

  • Work with information governance teams to ensure security risks are assessed and documented.

  • Work with leading-edge technologies as well as well as with older legacy systems.

Write

Write tests to ensure secure properties of an applications.

Most In-demand Hard Skills

The following list describes the most required technical skills of an Application Security Engineer:

  1. Python

  2. Java

  3. AWS

  4. Javascript

  5. Security

  6. Application Security

  7. Ruby

  8. Docker

  9. Information Security

  10. Sast

  11. Checkmarx

  12. Cissp

  13. Scripting

  14. .Net

  15. Kubernetes

  16. C#

  17. Cybersecurity

  18. Dast

  19. Owasp Top 10

  20. Penetration Testing

  21. GO

  22. Threat Modeling

  23. Bash

  24. Cryptography

  25. Mobile Applications

Most In-demand Soft Skills

The following list describes the most required soft skills of an Application Security Engineer:

  1. Written and oral communication skills

  2. Analytical ability

  3. Problem-solving attitude

  4. Leadership

  5. Collaborative

  6. Creative

  7. Organizational capacity

  8. Attention to detail

  9. Can get challenging projects across the finish line

  10. Drive solutions to completion

  11. Foster constructive dialogue

  12. Interpersonal skills

Stay on top of the sports job market!

Subscribe to our newsletter