Application Security Engineer

Bay Area | Contract-to-Hire | Cybersecurity Services | Application Security EngineerWe're recruiting for an Application Security Engineer on behalf of a high-growth VAR cybersecurity services firm. This is a hands-on, client-facing role where you'll work closely with product and engineering teams to embed security into the development lifecycle—ideal for someone who enjoys staying technical while driving real security outcomes across modern application environments.Client Summary:A rapidly growing cybersecurity services company delivering advanced security solutions across application, cloud, and detection domains. The firm partners with enterprise clients to strengthen security posture, improve detection and response, and embed secure development practices across web, mobile, and API environments. Known for deep technical expertise and a consultative approach, they are scaling quickly and expanding their service offerings.What You'll Do (Responsibilities):Perform application security assessments including code review, SAST, DAST, SCA, and targeted testingLead threat modeling sessions across new features, architecture changes, and emerging technologiesIntegrate security tooling (Semgrep, Snyk, CodeQL, GitHub Advanced Security, Burp Suite) into CI/CD pipelinesTriage and drive remediation of vulnerabilities across web, mobile, and API surfacesDesign and implement secure coding standards and authentication/authorization patterns (OAuth 2.0, SAML, JWT)Evaluate third-party libraries and dependencies for security and supply chain riskSupport incident response and contribute to application-layer root cause analysisDevelop documentation, runbooks, and security playbooks to support engineering teamsWhat You'll Bring (Requirements):3–5 years of experience in application security, penetration testing, or secure software developmentStrong knowledge of OWASP Top 10, CWE, and common web/API vulnerabilitiesHands-on experience with SAST, DAST, SCA, or IAST tools in CI/CD environmentsProficiency in one or more languages (Python, Go, JavaScript/TypeScript, or Java)Familiarity with modern development workflows (Git, CI/CD, containers)Understanding of authentication and authorization frameworks (OAuth 2.0, SAML, JWT)Strong communication skills with the ability to translate findings into actionable engineering tasksAbility to travel regularly to San Francisco Bay AreaNice to Have:Certifications such as OSCP, GWAPT, CEH, or CSSLPExperience with bug bounty or responsible disclosure programsFamiliarity with cloud security (AWS, GCP, Azure)Contributions to open-source security toolingCompensation & Structure:Contract role with potential for W2 conversionHighly competitive compensation (DOE)High-impact role with direct visibility to leadershipWhy This Role Stands Out:Hands-on role working directly with engineering teams to influence secure development practicesExposure to modern application stacks, APIs, and emerging technologiesOpportunity to work across diverse client environments and security challengesWhy Join Our Client?This is an opportunity to join a scaling cybersecurity services firm where you'll have real ownership, work on complex application security challenges, and help define how secure development is implemented across organizations.Interested and qualified? DM Morgan Brown and apply today!