Application Security Engineer

Position: Application Security Engineer (DevSecOps / Azure DevOps),

Work Setup: Hybrid, 2 times a week

Permanent Position

Location: Manila, Philippines

Summary: You will embed security into the software delivery lifecycle and reduce application risk across modern cloud and containerized environments. In this role, you will partner closely with engineering, DevOps, and product teams to implement and operate scalable DevSecOps controls, including SAST, DAST, SCA, API security testing, IAST, and RASP, and drive secure-by-design practices through automation in Azure DevOps CI/CD pipelines. You will also support penetration testing activities, provide secure coding guidance, and help establish standards and metrics that improve security posture without slowing down delivery.

Roles and Responsibilities:

• Embed security into the SDLC by partnering with engineering and DevOps teams across planning, design, build, test, and release.
• Implement and maintain application security testing programs, including:
• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• SCA (Software Composition Analysis)
• IAST (Interactive Application Security Testing)
• RASP (Runtime Application Self-Protection)
• Integrate security scanning and quality gates into Azure DevOps pipelines (Build/Release), ensuring repeatable and automated controls.
• Perform API security testing, including authentication/authorization validation, rate limiting checks, schema validation, and abuse testing.
• Conduct and/or coordinate security penetration testing and validate remediation effectiveness.
• Lead threat modeling and secure design reviews for new features, services, and architectures (microservices, serverless, containerized workloads).
• Establish vulnerability triage and remediation workflows: verify findings, reduce false positives, prioritize by risk, and track to closure.
• Define and promote secure coding standards and provide hands-on guidance (code review support, secure patterns, reference implementations).
• Support cloud security posture for application layers across Azure, AWS, and/or GCP, including identity, secrets, network exposure, and service configurations.
• Implement secrets management and secure configuration practices (e.g., key vault usage, environment hardening, least privilege).
• Build dashboards and metrics to report coverage and progress (scan coverage, mean time to remediate, vulnerability trends, SLA compliance).
• Evaluate and onboard AppSec tools and solutions; optimize pipelines for performance, reliability, and developer experience.
• Run enablement sessions (training, brown bags) to raise developer security maturity and reduce recurring issues.
• Participate in incident response activities related to application vulnerabilities, including root-cause analysis and prevention improvements.

Core Technical Requirements

• Strong hands-on experience with SAST Static Application Security Testing (tooling, tuning, triage, and remediation guidance).
• Strong hands-on experience with DAST Dynamic Application Security Testing (scanning strategies, authenticated scans, result validation).
• Strong hands-on experience with SCA Software Composition Analysis (open-source risk, license/compliance basics, dependency hygiene).
• Experience with IAST Interactive Application Security Testing and/or ability to operationalize runtime testing approaches.
• Experience with RASP Runtime Application Self-Protection concepts and/or runtime security controls in production.
• Proven capability in API Security Testing (OWASP API Top 10 understanding; authN/authZ, token handling, mass assignment, rate limits).
• Experience conducting Security Penetration Testing (web apps, APIs) and translating findings into actionable fixes.
• Strong knowledge of common app vulnerabilities (OWASP Top 10), secure coding patterns, and security testing methodologies.

DevOps / DevSecOps & Delivery Tooling

• Demonstrated DevOps background with CI/CD, automation, and pipeline-based deployments.
• Demonstrated DevSecOps background integrating security into pipelines with quality gates and developer-friendly workflows.
• Working knowledge of Azure DevOps (Repos, Pipelines, Build/Release, Artifacts, Boards) and integrating security scanning into it.
• Experience with Infrastructure-as-Code and pipeline automation concepts (e.g., YAML pipelines, reusable templates, policy-as-code).

Cloud & Engineering Background

• Hands-on experience with at least one major Cloud Platform (Azure, GCP, AWS); familiarity with identity, networking, secrets, and logging.
• Dev background (software engineering experience) in one or more languages (e.g., C#, Java, JavaScript/TypeScript, Python, Go) with the ability to read and review code.
• Familiarity with containers and modern app architectures (microservices, Kubernetes/AKS/EKS/GKE, serverless).

Professional / Collaboration Skills

• Ability to communicate risk clearly to engineers and leadership, balancing security requirements with delivery needs.
• Strong stakeholder management, collaboration, and influence skillsable to drive security adoption without relying on authority.
• Experience establishing standards, playbooks, and measurable outcomes (KPIs/SLAs) for application security programs.

Nice-to-Have (Optional)

• Experience with common AppSec tools (examples): Fortify/Checkmarx/Veracode/SonarQube (SAST), OWASP ZAP/Burp (DAST), Snyk/Mend/Black Duck (SCA).
• Experience with WAF, API gateways, or service mesh security controls.
• Security certifications (e.g., CSSLP, GWAPT, OSCP) or cloud certifications (AZ-500, AWS Security Specialty, GCP Security Engineer).

Work Set Up: Day Shift, Hybrid, Cubao site