Application Security Engineer

About Andesite:

After decades defending the nation's most sensitive networks, we founded Andesite with a clear mission: to build security products that transform how humans and AI collaborate to defend against increasingly sophisticated cyber threats.

We’re a diverse team of cyber and security experts, passionate technologists, and experienced product builders. We come from some of the largest national security, tech, cybersecurity, and data organizations on the planet.

We've raised more than $38 million from investors like General Catalyst and Red Cell Partners.

The future of cybersecurity isn't about better technology alone—it's about reimagining how humans and machines work together. Come build with us.

The Role:

Andesite is looking for an Application Security Engineer to join our cybersecurity operations.  In this role, you will secure software applications and cloud environments and identify and mitigate vulnerabilities throughout the development lifecycle - this includes performing application threat modeling, reviewing source code, managing SAST/DAST/SCA tools, and contributing to secure design and architecture reviews.  This position requires maintaining confidentiality, integrity, and availability of stakeholders' information and systems. You will facilitate and support vulnerability assessments and gap analysis to identify deficiencies and areas requiring remediation. Deliver real-time threat response through SIEM-driven monitoring, detection, and investigation.

The Application Security Engineer will resolve problems independently and work closely with other departments in a fast-paced, dynamic environment to ensure the organization’s applications, cloud and DevSecOps initiates are secure and compliant with relevant regulations, standards, compliance, and customer requirements. Additionally, you will help educate and empower engineering teams to adopt secure development practices through guidance, training, and collaboration.

What You’ll Do:

• Product Security: Proactively find security weaknesses during design, development, testing, and deployment phases, and work with teams to remediate them before they reach production.
• Application Threat Modeling and Secure Design Reviews: Analyze application components, data flows, and trust boundaries to anticipate potential threats and integrate security into architectural decisions early.
• Application Security Operations: Manage and maintain SAST, DAST, and SCA tooling: Configure, tune, and operationalize static, dynamic, and software composition analysis tools to support scalable and effective application security testing.
• Code Review: Conduct manual and automated code reviews to detect insecure coding patterns, logic flaws, and injection risks, ensuring code adheres to secure development standards.
• DevSecOps: Develop and maintain custom scripts and tools to automate security tasks, enhance visibility, and integrate security into development and operational workflows.
• Cloud Engineering: Enforce least privilege, secure network architectures, and strong identity and access controls across cloud accounts and services.
• System Monitoring: Monitor computer networks and systems with SIEM to identify vulnerabilities and respond to security threats and attacks.
• Vulnerability management: Support with scanning, tracking, and remediating security vulnerabilities across systems and applications.
• Educate: Provide training, documentation, and hands-on guidance to developers and engineers to build a strong security culture and shift security left in the SDLC.
• Professional Development: Stay current with industry developments and best practices through training, conferences, and other professional development activities.

Who You Are:

• 4+ years of experience in application security, secure software development, or a similar security-focused engineering role.
• 2+ years of hands-on experience securing cloud-native applications and infrastructure.
• Deep understanding of secure design principles, threat modeling, and software risk assessment.

Technical Skills - Application Security:

• Proficient in at least one programming language.
• Strong knowledge of secure coding practices and ability to guide developers through remediation.
• Experience writing scripts or tools to automate security tasks.
• Expert understanding of OWASP Top 10, CWE/SANS Top 25, and other software security standards.
• Familiarity with SAST, DAST, and SCA AppSec tools.
• Experience integrating security tooling into CI/CD pipelines (DevSecOps).
• Knowledge to perform penetration testing on AI components.

Technical Skills – Cloud Security:

• In-depth experience with at least one major cloud platform (AWS, Azure, or GCP).
• Hands-on experience implementing cloud security controls.
• Familiarity with infrastructure as code (IaC) security tools.
• Knowledge of container security and orchestration best practices.
• Exposure to cloud-native security services.

Governance & Risk:

• Experience conducting architecture and design reviews for security across applications and cloud environments.
• Understanding of cloud compliance frameworks (e.g., PCI DSS, CIS benchmarks, NIST, SOC 2, ISO 27001).
• Ability to implement and maintain secure configurations aligned with industry standards.

Soft Skills:

• Strong collaboration skills with developers, DevOps, and cloud engineering teams.
• Comfortable working across the SDLC to embed security from design through deployment.
• Ability to influence technical direction and security architecture.
• Excellent communication skills for both technical and non-technical audiences.

Certifications (Preferred): Possesses an offensive security and pentesting certification such as:

• OSCP, eJPT, eWPT, eWPTX, eCPPT, OSWA, OSSD, GPEN, GWAPT, CRTP

Nice to Have:

• Bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related field (or equivalent practical experience).
• Experience with SIEM/SOAR platforms and cloud log analysis.
• Participation in red/blue team exercises or security incident response in cloud environments, experience with PCI DSS desired.
• Contributions to open-source security tools or community knowledge sharing.
• Familiarity with Zero Trust principles and architectures.

What We Can Offer:

• A competitive salary, bonus, and equity package
• 100% employer paid, comprehensive health insurance including medical, dental, and vision for you and your family
• Unlimited PTO, with your manager’s approval
• Flexible work environment where you manage your workday
• A remote-first environment, with occasional travel to collaborate with customers, your team, and teammates from across the company in person
• 14 weeks of fully-paid parental leave

Salary range: $100,000-$125,000. This represents the typical salary range for this position based on experience, skills, and other factors.

Andesite is an equal opportunity employer, and qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender perception or identity, national origin, age, marital status, protected veteran status, or disability status.

We encourage candidates from all backgrounds to apply, even if you don't feel like you're a perfect fit. If you're passionate about contributing to our mission, we'd love to hear from you!