Applications Security Engineer L1

We are seeking a motivated and detail-oriented Application Security Engineer Level 1 to join our fintech company's security team. As an AppSec Engineer L1, you will help identify, analyze, and mitigate security vulnerabilities in our applications, working closely with product development teams to secure web, API, and mobile systems. You will engage in hands-on activities such as security reviews, basic scripting, automation, and vulnerability validation. This individual contributor role is perfect for engineers who are starting their security career and are eager to deepen their technical and security expertise, while contributing to the overall resilience of our applications.

1. Application Security Assessments

- Assist in identifying and analyzing vulnerabilities, with a primary focus on OWASP Web, API, and Mobile Top 10 risks.

- Perform taint analysis and manual code reviews to find insecure sinks, banned functions, and security flaws.

- Investigate vulnerability classes like IDOR, XSS, SQL Injection, Mass Assignment, JWT-related issues, SSRF, and Serialization attacks.

2. Scripting and Automation

- Write Python scripts for tasks like log parsing, basic service interaction, or automating API testing.

- Use libraries such as requests or scapy to simulate security scenarios and support security assessments.

- Contribute to extending and using internal AppSec automation frameworks under guidance.

3. Code Review and Secure Development

- Review code for common security issues, analyze input flows across complex function graphs, and understand data sanitization points.

- Document vulnerabilities clearly with supporting evidence and propose secure coding practices.

4. Security Tooling and Manual Testing

- Utilize tools like Burp Suite, Caido, ZAP to manually test web and API endpoints, replay requests, and fuzz parameters.

- Perform manual testing for Out-of-Band interactions using Burp Collaborator or similar tools.

- Familiarity with Android app security testing tools like MobSF, Jadx, Apktool.

5. Cross-Functional Collaboration

- Work closely with engineering teams to communicate findings, clarify risk impact, and collaborate on fixes.

- Participate in security-focused standups, retrospectives, and design reviews.

- Support security champions across product teams with technical insights.

6. Continuous Learning and Improvement

- Stay current on emerging application security vulnerabilities, security tooling, and attack techniques.

- Proactively learn about new technologies introduced into the tech stack and assess their security implications.

Educational Background:

Bachelor’s degree in Computer Science, Engineering, Information Security, or equivalent practical experience.

Experience:

0–2 years of experience in application security, software engineering, or a related technical role.

Technical Skills:

- Understanding of OWASP Top 10 for Web, API, and Mobile; able to reason about vulnerabilities like IDOR, XSS, SQLi, SSRF, - - JWT issues.

- Basic Python scripting for tasks like log parsing or simple API interaction.

- Familiarity with secure coding principles and performing code reviews focused on identifying insecure patterns.

- Use of HTTP proxies (Burp Suite, Caido, ZAP) for manual request manipulation and fuzzing.

- Awareness of Android security testing tools (MobSF, Apktool, Jadx).

- Familiarity with instrumentation frameworks like Frida for tasks such as SSL pinning bypass or API hooking (preferred but not required).

- Analytical thinker with strong attention to detail.

- Effective communicator with the ability to explain technical issues clearly.

- Eager to learn and grow in the application security field.

- Strong work ethic and ownership mentality.

- Comfortable working in a fast-paced environment and collaborating across teams.

- Exposure to secure development lifecycle (SDL) practices.

- Familiarity with Frida or dynamic instrumentation techniques.

- Basic understanding of authentication, authorization models, and crypto vulnerabilities.

- Practical experience with penetration testing for web or mobile apps.

- Hands-on experience using version control (e.g., Git).