Application Security Engineer
Job Description
The Application Security Engineer role at Wolfe, LLC is a hands-on position based in Pittsburgh, PA, onsite five days a week. The role collaborates with developers and DevOps to embed security into software delivery, encompassing code reviews, CI/CD hardening, and vulnerability management across applications, containers, and cloud infrastructure. Salary is USD 110,000 to 120,000 per year.
Responsibilities
- Perform code reviews, SAST/DAST testing, basic penetration tests, and basic threat modeling, partnering with developers to remediate vulnerabilities across application code, libraries, containers, and infrastructure as code.
- Integrate and run automated security tooling such as Snyk, SemGrep, or Cycode within CI/CD pipelines across code repositories (GitHub, GitLab, Jenkins, AWS DevOps), and assist with triage and reporting of findings.
- Manage a vulnerability management program, vulnerability scanning tools, and the enterprise Bug Bounty program, tracking and prioritizing remediation against defined SLAs.
- Support operation and improvement of Bot Management, WAF, secrets management, and API security controls across Wolfe's applications.
- Apply and promote secure coding standards aligned to OWASP and SANS CWE Top 25, and contribute to measuring DevSecOps maturity using DSOMM or BSIMM.
- Collaborate with developers, security operations, product management, and incident response teams, sharing secure-coding and vulnerability-management practices while growing personal expertise.
Requirements
- Minimum 2 years of experience in application security, DevSecOps, or software development with security exposure; equivalent experience accepted in lieu of a degree; Bachelor's in Information Security, Cybersecurity, Computer Science, or related field.
- Hands-on coding background with knowledge of secure coding principles (OWASP Top 10, SANS CWE Top 25).
- Some hands-on exposure to CI/CD pipelines (GitHub, GitLab, Jenkins, or AWS DevOps) and an interest in integrating security tooling into them.
- Strong verbal and written communication skills, with the ability to explain security concepts to both technical and non-technical teammates.
- Eagerness to learn enterprise security tooling (vulnerability scanners, Bot Management, SAST/DAST/SCA) and maturity frameworks like DSOMM or BSIMM; deep prior experience with these is a plus, not a requirement.
- No certifications required; experience with CISSP, OSCP, GCSA, AWS Security Specialty, or CSSLP is a plus, and Wolfe will support earning them.
Technologies
- Snyk
- SemGrep
- Cycode
- GitHub
- GitLab
- Jenkins
- AWS DevOps
- DSOMM
- BSIMM
- OWASP Top 10
- SANS CWE Top 25
- SAST
- DAST
- SCA
- Bot Management
- WAF
Benefits
- Restricted Stock Units (RSUs)
- Profit share and/or incentive bonus
- Medical, Prescription, Vision, and Dental insurance for employees and dependents (Wolfe pays 80% of premium)
- Short-Term Disability Insurance (Wolfe pays 100% of premium)
- Voluntary Long-Term Disability Insurance, Life Insurance, Critical Illness Insurance, Accident Insurance, and Hospital Indemnity coverage
- PTO (vacation and sick time)
- Corporate Holidays and Floating Holidays
- 401(k)
- Employee recognition program
- Charitable Donation to a charity of your choice yearly
- Employee Referral Bonus
- Tuition Reimbursement
- Internal Training and Information sessions
- Family Picnic, Holiday Party, and other outings
- Internal Culture Club
Impact Statement
- Update existing Application Security Strategy and improve monitoring and reporting on KPIs.
- Make a significant improvement to at least one automated security tool (DAST, SAST, SCA, or container scanning) in the production CI/CD pipeline, with results feeding a documented triage workflow.
- Drive additional Bug Bounty submissions and improve bot management protections prior to end of Q3.
- Provide product and technology advisement and testing for new application and AI functionality.
- Develop and plan a purposeful Application and AI development training program.