Senior Application Security Engineer

Our cybersecurity and information security teams at IDEXX contribute to a more resilient adaptable and security-aware enterprise prepared to navigate todays evolving threat landscape. We have complex multi-dimensional programs across the organization that support all the technology needed to deliver products and solutions to customers - enabling them to focus on delivering high quality patient care.

IDEXX is seeking a SeniorApplication SecurityEngineerto join our Product & Application Security team protecting applications across development teams. This role combines hands-on security testing with strategic partnership - you will conduct security assessments perform threat modeling and work directly with developers to build security into products from the start.

You will support security activities ranging from SAST/DAST analysis to API security testing collaborate with our Security Champions to scale secure development practices and contribute to the maturation of our Secure Software Development Lifecycle (SSDLC).

This position reports to the Senior Manager of Product & Application Security and operates within a team that prioritizes partnership over enforcement using OWASP SAMM as our operational framework.

In this role you will be responsible for...

Security Assessments & Testing

• Conduct security architecture reviews and threat modeling sessions with development teams using STRIDE methodology

• Perform application security assessments acrossoursecurity verification service offerings including SAST/DAST analysis manual code review API security testing authentication/authorization testing and vulnerability validation

• Execute hands-on security testing of applicationsAPIs mobile applicationsagentic solutionsand cloud-native services

• Analyze and validate security findings from automatedsecuritytools and provide actionable remediation guidance

Security Engineering & Automation

• Build and maintain security verification tooling scripts and automation to improve assessment efficiency and coverage

• Develop custom security testing scripts and proof-of-concept exploits to validate vulnerabilities

• Contribute to security tooling integration within CI/CD pipelines

• Create reusable security patterns code snippets and reference implementations for common security controls

Developer Partnership & Enablement

• Contribute tosecurity training and enablement sessions on secure coding practices common vulnerabilities and threat modeling

• Provide just-in-time security guidance during sprint planning design reviews and code reviewsas requested

• Translate security findings into developer-friendly remediation guidance with code examples and implementation patterns

SSDLC & Program Development

• Contribute to SSDLC policy development and security requirements documentation grounded in OWASP SAMM practices

• Guide the evolution of the SSDLC to address emerging risks and controls introduced by AIassisted development

• Support the standardization of security assessment intake execution and reporting processes via ServiceNow

• Maintain security verification documentation including testing methodologies checklists and runbooks

• Track and report on security assessment metrics including coverage finding severity distribution and remediation timelines

What You Will Need to Succeed...

• 4-6 years of hands-on experience in applicationsecuritywith demonstrable technical skills
• Strong grasp of threat modeling methodologies (STRIDE preferred) and risk assessment

• Location: we are looking for someone driving distance to our HQ in Westbrook Maine where we offer a flexible hybrid requirement of only 8 days per month. We are also open to those in New Hampshire or Massachusetts who are able to be on-site a less amount possibly 1 to 4 times a month.

• Strong understanding of common web application vulnerabilities (OWASP Top 10 SANS Top 25) and secure coding practices

• Practical experience conducting security assessments including SAST/DAST analysis manual code review and penetration testing

• Proficiency with application security testing tools

• Solid understanding of at least two programming languages sufficient to review code for security issues

• Experience with API security testing (REST GraphQL SOAP) and authentication/authorization mechanisms (OAuth SAML JWT)

• Working knowledge of CI/CD security integration and tools like GitHub Advanced Security SonarQube or Snyk

• Understanding of secure architecture principles and security design patterns

• Familiarity with cloud security fundamentals (AWS Azure or GCP)

• Knowledge of vulnerability scoring systems (CVSS EPSS) and prioritization frameworks

• Awareness of compliance requirements (SOC 2 GDPR HIPAA CRA) and how they apply to application security

• Ability to communicate complex security issues clearly to both technical and non-technical audiences

• Skill in building trust and partnerships with development teams rather than acting as a gatekeeper

• Comfort working in a fast-paced agile environment where security must enable delivery

• Experience mentoring or enabling developers on security topics

• Track record of translating security findings into practical actionable remediation guidance

It would be a plus if you had any of these...

• GIAC Web Application Penetration Tester (GWAPT) Offensive Security Certified Professional (OSCP) or Certified Application Security Engineer (CASE) certification

• Background in software development or DevOps with a transition to security

• Familiarity with OWASP SAMM BSIMM or similar secure development maturity frameworks

• Experiencecontributing toa Security Champions program or developer security enablement initiative

• Prior work in regulated industries (healthcare financial services government)

• Contributions toopen-sourcesecurity tools or vulnerability research