Sr. Application Security Engineer

The insurance industry runs on Vertafore. We equip agencies MGAs and carriers with the core digital systems specialized AI and data-driven foundation to eliminate distribution drag across the insurance lifecycle spanning sales servicing and back-office operations.

Underpinned by unmatched speed and performance power we are the trusted backbone thats taking the insurance industry from friction to flow with Distribution Velocity speed performance and trust - to drive growth at scale.

With over 95% of the top agencies and insurers and 50% of industry compliance transactions running through Vertafore we lead at the intersection of innovation and trust giving insurance professionals the confidence to transform and win in the AI era.

Our reach is global with headquarters in Denver Colorado and offices across the U.S. Canada and India.

The Senior Application Security Engineer is responsible for advancing application product cloud API identity and AI security across Vertafores software engineering organization. This role partners directly with product engineering architecture DevOps cloud and security teams to identify risk early define secure design patterns and embed scalable security controls into the software development lifecycle.

This role will serve as a hands-on technical security partner for application teams helping them understand and document application architecture from a security perspective identify trust boundaries and attack paths and implement practical mitigations. The Senior Application Security Engineer will support secure design reviews threat modeling secure coding practices vulnerability management CI/CD security controls API security identity and access management patterns and emerging AI/agentic product security capabilities.

A key focus of this position is securing AI-enabled applications and AI agents integrated into Vertafore products. This includes understanding AI agent architecture authentication and authorization patterns memory handling prompt tracing tool/plugin access guardrails model and runtime behavior AI runtime scanning and secure use of code-assist tools within engineering workflows.

The ideal candidate is a strong application security practitioner who can translate complex technical risk into actionable engineering guidance influence teams without direct authority and help product teams ship securely without unnecessary friction..

Core Requirements and Responsibilities:

Essential job functions included but are not limited to the following:

Partner with product and engineering teams to perform application security reviews secure architecture reviews and threat modeling for new and existing applications services APIs integrations and cloud-native workloads.

Work with teams to understand application architecture data flows trust boundaries authentication and authorization models third-party integrations deployment patterns and security-relevant design decisions.

Document application architecture from a security perspective including key assets identity flows privilege boundaries attack surfaces sensitive data flows control gaps and recommended mitigations.

Identify and prioritize application security risks across web applications APIs microservices SaaS platforms cloud services CI/CD pipelines infrastructure-as-code and AI-enabled product capabilities.

Provide hands-on guidance to engineering teams on secure coding secure design vulnerability remediation secrets management dependency risk API security input validation authentication authorization session management logging and error handling.

Support and improve secure SDLC practices including security requirements design review checkpoints threat modeling secure code review automated scanning developer education exception management and remediation tracking.

Integrate and tune security tooling across CI/CD pipelines including SAST SCA IaC scanning container scanning DAST API security testing secrets detection and AI runtime security scanning where applicable.

Help define and operationalize security controls for AI agents and AI-enabled product features including guardrails authentication authorization prompt tracing model/tool interaction logging memory controls data leakage prevention abuse-case testing and runtime monitoring.

Evaluate the secure use of AI code-assist tools and developer productivity tools including risks related to data exposure insecure code generation hallucinated dependencies licensing secrets leakage provenance and secure review workflows.

Collaborate with DevOps and platform teams to embed security controls into CI/CD workflows while minimizing developer friction and false positives.

Review identity and access management patterns across applications and platforms including IAM PAM JIT access service accounts least privilege privileged workflows role design federation SSO API access token handling and lifecycle governance.

Partner with cloud and infrastructure teams to review application-level cloud security controls across AWS Azure and related platforms.

Support vulnerability management by validating findings assessing exploitability and business impact partnering on remediation plans and escalating material risks when needed.

Develop reusable security patterns reference architectures standards guardrails and implementation guidance for engineering teams.

Mentor engineers and security team members on application security cloud security API security AI security threat modeling and secure SDLC practices.

Communicate risk clearly to technical and non-technical stakeholders including engineering leaders product leaders compliance partners and security leadership.

Contribute to security policy standards compliance and audit readiness efforts related to application security product security identity cloud AI and SDLC controls.

Participate in security incident response security operations escalation or on-call processes as required by the business.

Knowledge Skills and Abilities:

Strong knowledge of application security principles secure design secure coding web application security API security cloud-native application security and secure SDLC practices.

Strong understanding of common application and API vulnerabilities including OWASP Top 10 OWASP API Security Top 10 authentication bypass authorization flaws injection insecure deserialization SSRF business logic flaws secrets exposure and supply chain risks.

Experience performing security architecture reviews threat modeling design reviews and risk assessments for modern software systems.

Ability to understand complex application architectures and document them from a security perspective including data flows trust boundaries identity flows external integrations and critical control points.

Working knowledge of AI-enabled application and AI agent security concepts including agent components tool use memory prompt handling prompt tracing guardrails authentication authorization runtime monitoring abuse-case testing and data protection.

Familiarity with AI security frameworks patterns or risk areas such as prompt injection indirect prompt injection tool misuse excessive agency data leakage insecure plugin/tool access model output handling and agentic workflow abuse.

Experience evaluating or securing AI code-assist tools including secure configuration acceptable-use guardrails source code exposure risks generated-code review practices and developer workflow controls.

Experience integrating security testing and security gates into CI/CD pipelines including SAST SCA IaC scanning container scanning secrets scanning DAST API testing and AI runtime scanning.

Strong understanding of identity and access management concepts including IAM PAM JIT access least privilege RBAC/ABAC federation SSO MFA privileged workflows service identities API tokens and access lifecycle management.

Experience with cloud security concepts and services across AWS and/or Azure particularly as they relate to application workloads identity networking logging encryption and deployment pipelines.

Familiarity with WAF API gateway rate limiting bot protection DLP logging/monitoring SIEM integrations and application-layer detective and preventive controls.

Ability to assess vulnerabilities based on exploitability compensating controls business impact and remediation complexity rather than scanner severity alone.

Ability to influence engineering teams and product stakeholders through practical risk-based guidance.

Strong written and verbal communication skills including the ability to explain security risk tradeoffs and recommended actions to both technical and non-technical audiences.

Ability to create repeatable standards patterns playbooks and architecture guidance that scale across multiple teams and products.

Strong collaboration skills with engineering architecture DevOps cloud compliance IT identity and security operations teams.

Ability to work independently manage competing priorities and operate effectively in a remote or hybrid environment.

Qualifications:

Bachelors degree in Cybersecurity Computer Science Information Technology Software Engineering or related field OR equivalent experience.

7 years of experience in application security product security security engineering software engineering with security focus cloud security or security architecture.

Hands-on experience with application security reviews threat modeling secure SDLC practices vulnerability management and engineering partnership.

Experience securing cloud-hosted applications APIs microservices CI/CD pipelines and modern software delivery environments.

Experience with at least several of the following security tools or control areas: SAST DAST SCA secrets scanning container scanning IaC scanning API security testing WAF CNAPP/CSPM CI/CD security controls SIEM/logging or runtime application security monitoring.

Experience with identity and access management patterns including IAM PAM JIT access privileged access workflows service account governance SSO MFA RBAC/ABAC and least privilege.

Experience or demonstrated working knowledge of AI application security AI agents LLM-enabled product features AI runtime controls AI-assisted development workflows or secure AI adoption is strongly preferred.

Experience working directly with software engineering teams to document architecture identify security risks and drive remediation through practical engineering guidance.

Security certifications are a plus such as CSSLP CISSP GWAPT GWEB AWS Security Specialty CCSP or other relevant credentials.

Familiarity with regulatory compliance or control frameworks such as SOC 2 ISO 27001 NIST CSF NIST SSDF OWASP ASVS OWASP SAMM or similar frameworks is preferred.

Additional Requirements and Details:

Travel required up to 10% of the time.

Ability to work remote with a stable internet connection on an as needed basis

Located and working from an office location (when required)

Occasional lifting and/or moving up to 10 pounds.

Frequent repetitive hand and arm movements required to operate a computer.

Specific vision abilities required by this job include close vision (working on a computer etc.).

Frequent sitting and/or standing.

THE VERTAFORE STORY

Over the past 50 years Vertafore has advanced the entire insurance distribution channel with the best software solutions in the industry. Today were proud to say hundreds of thousands of Vertafore users rely on our solutions to write business faster reduce costs and fuel growth by increasing collaboration and streamlining processes. Vertafore leads the industry with secure cloud-based mobile products that provide superior reporting and analytics delivering actionable insight right when customers need it most. We partner with other leading technology companies to deliver comprehensive solutions to improve the way our customers do business and serve their customers.

The Vertafore Way

Insurance is about relationships and technology should make those relationships stronger. Thats why at Vertafore its our mission to transform the way the industry operates by putting people at the heart of insurance technology. By focusing on our customers becoming better every day and delivering results you can see we provide the level oftrustandsecuritythat insurance is all about.

Bias to Action: Were united by an innate drive to take action and make a difference in the technology and insurance spaces.

Win Together: We work together as one team showing empathy and respect along the way.

Show Up Curious: We work to challenge one another to push boundaries and think beyond the box.

Say It Do It: We honor every one of our commitments because integrity is important to us.

Customer Success is Our Success: We cultivate authentic relationships and follow up by actively listening to their needs.

We Love Insurance: We appreciate the impact insurance has on the world.

Is this role not an exact fit for you Keep an eye on our Careers Page for other positions!

Vertafore is a drug free workplace and conducts preemployment drug and background screenings.

The selected candidate must be legally authorized to work in the United States.

The above statements are intended to describe the general nature and level of work being performed by people assigned to this job. They are not intended to be an exhaustive list of all the job responsibilities duties skill or working addition this document does not create an employment contract implied or otherwise other than an at will relationship.

Vertafore strongly supports equal employment opportunity for all applicants regardless of race color religion sex gender identity pregnancy national origin ancestry citizenship age marital status physical disability mental disability medical condition sexual orientation genetic information or any other characteristic protected by state or federal law.

We do not accept resumes from agencies headhunters or other suppliers who have not signed a formal agreement with us.