Senior Application Security Engineer

About Us:

Recognized among Pittsburgh's 2024 Top Workplaces and Fastest-Growing Companies, Wolfe has been a leader in the Gift Card and FinTech sectors for over 25 years. We power gift card programs for national merchants like KFC, and our flagship consumer brand, PerfectGift.com, enables customers to create customized gift cards. Learn more about our company culture, core values, and industry recognition on our career page (https://wolfe-llc.breezy.hr/).

Job Summary:

Are you ready to elevate security practices to new heights? Our organization is on the lookout for a dynamic Senior Application Security Engineer who will revolutionize our application security strategies. Located in the vibrant city of Pittsburgh, PA, this on-site role is the perfect opportunity to collaborate with key stakeholders in Technology, Product, and Strategic Business Units to tackle the most pressing security challenges head-on.

As a Senior Application Security Engineer, you will spearhead the secure software development lifecycle, embedding cutting-edge security practices at every step of our DevOps pipelines and application security processes. Your expertise in maturity models like DSOMM (DevSecOps Maturity Model), CI/CD pipelines, and vulnerability management tools will be crucial in transforming our security landscape. Join forces with our engineering, DevOps, Product, and Technology teams to implement automated security controls, threat modeling, and risk mitigation strategies that will shape the future of our software development lifecycle.

This role requires minimal travel and the ability to work in a fast-paced, dynamic environment. The position may involve working outside normal business hours to address urgent compliance or security incidents.

Key Responsibilities:

DevSecOps & Maturity Measurement Implementation:

• Assess, report, and assist with improving application security and DevSecOps Maturity, utilizing a measurement framework such as DSOMM or BSIMM, across the organization.
• Define and implement security policies, standards, and best practices for DevOps, CI/CD pipelines, and cloud security.
• Work with development and DevOps teams to integrate automated security testing (SAST, DAST, SCA, IaC security scanning, etc.) into pipelines.
• Establish security gates in CI/CD workflows to prevent deployment of vulnerable code.
• Application Security & Code Vulnerabilities:
• Perform code reviews, static/dynamic security testing (SAST/DAST), and secure coding guidance to developers.
• Identify and remediate vulnerabilities in application code, libraries, containers, and infrastructure as code (IaC).
• Develop and enforce secure coding standards in alignment with OWASP, NIST, and other frameworks.
• Conduct threat modeling and security architecture reviews for applications and services. For example, assist application teams with developing accurate data flow diagrams and developing appropriate identity management solutions.
• Manage and mature Bot Management services for all applications. Assist with WAF management and maturity.
• Improve secrets management and API security.

Vulnerability Management & Risk Reduction:

• Manage and mature enterprise-wide Bug Bounty program (e.g. BugCrowd, HackerOne)
• Manage vulnerability scanning tools (e.g., Tenable, Qualys, Sonar, Snyk) and prioritize remediation efforts.
• Track, assess, and coordinate the remediation of vulnerabilities across the application, infrastructure, and cloud environments.
• Develop risk-based vulnerability management workflows and collaborate with engineering teams to drive fixes.
• Monitor security dashboards and metrics, ensuring vulnerabilities are patched in alignment with SLAs.

Security CI/CD Automation & Tooling:

• Implement security automation using APIs, scripts, and cloud-native security controls.
• Work with DevOps engineers to integrate security tooling (like SemGrep, Snyk, Cycode) or within Jenkins, GitHub, GitLab CI/CD, or AWS DevOps.
• Automate security findings triage, reporting, and prioritization processes.

Security Awareness & Collaboration:

• Train and mentor developers on secure coding, threat modeling, DevSecOps, and vulnerability management best practices.
• Collaborate with security operations, incident response, and compliance teams on security initiatives.
• Participate in security assessments, penetration testing, and security incident investigations.

Qualifications & Experience:

• Bachelor’s Degree in Information Security, Cybersecurity, Computer Science, or a related field OR a minimum of 8 years’ experience in lieu of a degree. Master’s Degree in Cybersecurity, Information Technology, Business Administration, or a related field is preferred.
• 5+ years of experience in application security, DevSecOps, and security engineering.
• Hands-on experience with DevSecOps tools (SAST, DAST, SCA, container security, IaC security).
• Strong knowledge of secure coding principles and frameworks such as OWASP Top 10, SANS CWE Top 25.
• Experience with integrating security solutions within CI/CD pipelines.
• High proficiency in at least one programming language (Python, Java, Go, PHP, JavaScript, etc.).
• Experience with vulnerability management and tools (Tenable, Qualys, or Rapid7).
• Experience with web app penetration testing tooling (BurpSuite, Acunetix, or Zap).
• Experience with implementing maturity measurement frameworks such as DSOMM (DevSecOps Maturity Model) or BSIMM (Building Security in Maturity Model) in an enterprise setting.
• Familiarity with cloud security best practices (AWS, Azure/Entra, GCP).
• Familiarity with Bot Management tooling (DataDome, HUMAN, CloudFlare, or reCAPTCHA) and client-side monitoring tooling (FullStory, Source Defense, or Reflectiz).
• Familiarity with AI machine learning or LLM usage within security tooling.
• Security certifications like CISSP, OSCP, GCPN, GCSA, AWS Security Specialty, or CSSLP is preferred.
• Experience with Infrastructure as Code (Terraform, CloudFormation, Kubernetes security) is preferred.
• Knowledge of compliance frameworks such as NIST, ISO 27001, SOC 2, PCI DSS, and PCI Card Production is preferred.
• Technical Aptitude: Ability to understand and communicate best-practice system architectures, data flows, and security controls within modern web applications and cloud (SaaS/PaaS, IaaS).
• Communication: Excellent verbal and written communication skills, with the ability to communicate complex security concepts to technical and non-technical stakeholders.
• Strategic Thinking: Ability to develop and implement strategic cybersecurity plans that align with business goals and product advancements.

Compensation & Benefits:

Wolfe is committed to providing a comprehensive benefits package to support your well-being, along with competitive compensation targeting the top 25% (75th percentile) in the local market. Our benefits and perks include but not limited to:

• Restricted Stock Units (RSUs)
• Profit Share
  
• Medical, Prescription, Vision, and Dental insurance for employees and dependents (Wolfe pays 80% of premium)
• Short-Term Disability Insurance (Wolfe pays 100% of premium)
• Voluntary Long-Term Disability Insurance, Life Insurance, Critical Illness Insurance, Accident Insurance, and Hospital Indemnity coverage
• PTO (vacation)
• Corporate Holidays
• 401(k)
• Employee recognition program
• Charitable Donation to a charity of your choice yearly
• Employee Referral Bonus
• Tuition Reimbursement
• Internal Training and Information sessions
• Family Picnic, Holiday Party, and other outings
• Internal Culture Club

Wolfe is an Equal Opportunity Employer.

Wolfe does not sponsor individuals for the purpose of obtaining H-1 Visas.