Overview
application security analyst ii role will support our organization's security posture by protecting applications, apis, databases, and third-party saas platforms. Working closely with the appsec lead, the engineer will take on operational responsibilities to enable strategic growth of the program while supporting hands-on security testing and analysis.
experience requirements
* experience across cybersecurity domains: 2–5 years
* application security: 2–5 years
* application development: 2–5 years
responsibilities
* onboard development teams into security tools (e.g., snyk) and integrate them into ci/cd pipelines.
* perform vulnerability triage and respond to alerts in a timely manner.
* conduct security testing of code and apis, including analyzing results from static and dynamic analysis tools.
* monitor saas and api findings, ensuring risks are logged and communicated appropriately.
* manage user access and maintain the health of security tools.
* assist in manual assessments of cots and database security, building inventories, and documenting findings.
* collaborate with the appsec lead to develop and implement best practices across all security pillars.
* support the creation of risk profiles and contribute to long-term risk reduction strategies.
* help prepare reports and communicate program metrics and risk posture to stakeholders.
* advanced english
must-have skills
* solid expertise in at least 1–2 of the following pillars: code and portal security, saas security, api security, cots security, or database security.
* hands-on experience with code testing frameworks, static analysis (sast), and dynamic analysis (dast) tools.
* understanding of api security fundamentals (authentication, authorization, protocols) and web services.
* familiarity with ci/cd pipelines and integrating security scanning.
* solid grasp of web application security concepts and common vulnerabilities (e.g., owasp top ten).
* strong interpersonal and communication skills; able to collaborate across teams and convey security concepts to diverse audiences.
* analytical thinking and problem solving; able to triage and prioritize vulnerabilities and tasks.
nice-to-have skills
* experience or interest in saas security, including monitoring and performing manual assessments.
* basic knowledge of cots and database security with a willingness to learn more.
* prior experience as a software developer or in a development team.
* understanding of devsecops principles and practices.
* knowledge of manual saas assessment processes and best practices.
* experience performing database security reviews or working with database technologies.
* experience or interest in forming programmatic risk profiling methodologies.
security tools experience
candidates should have experience with security tools relevant to at least one or more of the following categories:
* sspm (saas security posture management) tools: obsidian security, falcon shield, valence, adaptive shield, appomni, etc.
* code scanning tools: checkmarx, snyk, veracode, sonarqube, fortify, github advanced security, etc.
* api security tools: cequence, salt security, noname security, 42crunch, traceable, etc.
* cots security tools: nessus, qualys, rapid7, or similar vulnerability management tools.
* database security tools: imperva, ibm guardium, oracle audit vault, or similar.
j-18808-ljbffr