Senior Application Security Engineer

Role Summary

What Youll Do (Core Responsibilities)

Build & Automate Secure-by-Default

• Design and maintainpaved road templates(reference repos IaC CI/CD workflows) that ship with SAST SCA secrets scanning IaC/container scanning SBOM generation artifact signing/attestation and policy gates.
• Integrate and tune AppSec tools in developer workflows (IDE hints PR annotations pipeline gates); author custom rules where off-the-shelf signals are noisy.
• Engineer data flows thataggregate/dedupe/correlatefindings into a single vulnerability backlog with risk scoring (severity exploitability exposure asset criticality; KEV overrides).

Secure SDLC & Architecture

• Leadthreat modelingand design reviews for high-risk features (authn/z boundaries multi-tenant isolation API abuse data protection).
• Write and evolvesecure coding standardsand language-specific guardrails (PHP/.NET/Node) aligned to Industry best practice..
• Partner with platform teams onsupply-chain security(dependency policies third-party library allow/deny lists).

Validate & Defend

• Stand upDAST/API testing(REST/GraphQL) targeted fuzzing for parsers/critical endpoints and pre-prod abuse testing (authz under load rate limiting broken object/property level auth).
• Coordinate externalpen testsand triagebug bountysubmissions; drive root-cause fixes and pattern-level remediations.
• Improve runtime protection with WAF/API gateways and egress controls.

Vulnerability Management & Risk

• Own triage for critical services; set SLAs by severity and exploitability;escalate KEV/autowormableissues as emergency response.
• Create dashboards that separateleading(coverage scan on PRs time-to-triage) fromlagging(MTTR open > SLA) andbusinessmetrics.

Minimum Qualifications

• 5 yearsin AppSec/Software Security/DevSecOps (or strong software engineering background plus 2 years AppSec).
• Proficiency in at least one major language (e.g.PHP C#/.NET JavaScript/TypeScript Python or Go) and ability to read others.
• Hands-on with modern AppSec tools and patterns: SAST/SCA/DASTsecrets scanningSBOM & artifact signing container/IaC scanning API testing WAF/API gateway policy.
• CI/CD integration experience (GitHub Actions/GitLab/Jenkins/Azure DevOps/Harness);policy-as-codemindset.
• Practical understanding ofcloud-nativearchitectures (AWS/Azure/GCP) Kubernetes fundamentals and common identity patterns (OIDC/OAuth2 session mgmt).
• Demonstrated ability to turn noisy scanner output intoactionable prioritizedremediation work.

Preferred Qualifications

• Operating knowledge ofNIST SSDFOWASP SAMM/ASVS andSLSA; experience aligning controls to PCI/SOC2/ISO (as relevant).
• Building/maintaininggolden pathtemplates; writing custom rules for SAST/SCA or Semgrep/CodeQL queries.
• Exposure tobug bountyops andpen testorchestration.
• Relevant certifications (CSSLP OSWE GWAPT GCSA) are a plus but not required.

Behavioral Competencies

• Enablement first:you remove friction and build guardrails developers want to use.
• Systems thinker:you fix root causes and codify them into templates and rules.
• Data-driven:you choose battles via risk signals (KEV exploitability exposure).
• Clear communicator:you translate risk into engineering work and business impact.

#Auris

Candidates should be comfortable with an on-site presence to support collaboration team leadership and cross-functional partnership.

Why Join Us:

At Acrisure were building more than a business were building a community where people can grow thrive and make an impact. Our benefits are designed to support every dimension of your life from your health and finances to your family and future.

Making a lasting impact on the communities it serves Acrisure has pledged more than $22 million through its partnerships with Corewell Health Helen DeVos Childrens Hospital in Grand Rapids Michigan UPMC Childrens Hospital in Pittsburgh Pennsylvania and Blythedale Childrens Hospital in Valhalla New York.

Employee Benefits

We also offer our employees a comprehensive suite of benefits and perks including:

• Physical Wellness: Comprehensive medical insurance dental insurance and vision insurance; life and disability insurance; fertility benefits; wellness resources; and paid sick time.

• Mental Wellness: Generous paid time off and holidays; Employee Assistance Program (EAP); and a complimentary Calm app subscription.

• Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account (HSA) and Flexible Spending Account (FSA) options; commuter benefits; and employee discount programs.

• Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; and pet insurance coverage.

• and so much more!

This list is not exhaustive of all available benefits. Eligibility and waiting periods may apply to certain offerings. Benefits may vary based on subsidiary entity and geographic location.

Acrisure is an Equal Opportunity Employer. We consider qualified applicants without regard to race color religion sex national origin disability or protected veteran status. Applicants may request reasonable accommodation by contacting .

California Residents: Learn more about our privacy practices for applicants by visiting the Acrisure California Applicant Privacy Policy.

Recruitment Fraud: Please visit here to learn more about our Recruitment Fraud Notice.

Welcome your new opportunity awaits you.