Application Security Engineer (Remote in Bulgaria, Germany, Italy, Serbia, Turkey)

Constructor TECH is an all-in-one platform for education and research. With expertise in machine intelligence and data science, Constructor is built to cater to the needs of schools, higher education, corporate training, alternative credentials, and professional sports, offering solutions for teaching and administration, learning and research. 

From infrastructure to applications, Constructor elevates learning experiences, empowers educators, and drives research breakthroughs.

Our headquarters is situated in Switzerland. Also, we have entities in Germany, Bulgaria, Serbia, Turkey, and Singapore.

About the Role: We are seeking an Application Security Engineer with a strong background in web application security design, secure development practices, and vulnerability testing. This role also requires practical experience with Software Bill of Materials (SBOM) management and implementation, contributing to our secure SDLC and software supply chain risk reduction efforts.

Key Responsibilities:

· Perform threat modeling, security architecture review, and design analysis for web applications and APIs.

· Conduct manual and automated security testing during development and pre-release stages.

· Design and implement security pipelines (including SAST and DAST) and integrate them into the SDLC process.

· Implement and manage SBOM generation and consumption processes across the SDLC.

· Collaborate with development teams to ensure timely remediation of identified vulnerabilities.

· Maintain security guidance aligned with OWASP best practices and provide trainings for development teams.

· Stay current with evolving application security threats, tools, and industry developments.

Qualifications:

· 3–5 years of experience in application security, with a focus on web applications and API security.

· Good knowledge of at least one scripting or programming language (e.g., Python, JavaScript, C#, or Go).

· Experience with tools like OWASP ZAP, Burp Suite, Snyk, or similar.

· Familiarity with secure coding, DevSecOps, and container security concepts.

· Strong understanding of CVE, CVSS, and vulnerability disclosure workflows.

· Excellent command of business English.

Preferred Qualifications:

· Knowledge of SBOM standards (CycloneDX, SPDX) and experience integrating SBOM tooling into CI/CD pipelines.

· Knowledge of software composition analysis (SCA) tools.

· Relevant certifications such as GWAPT, OSWE, or CSSLP.

What We Offer

Constructor fosters equal opportunity for people of all backgrounds and identities. We are led by a gender-balanced board committed to building a diverse and inclusive organization where everyone can become their best self. We do not discriminate based on age, disability, gender identity, sexual orientation, ethnicity, race, religion or belief, parental and family status, or other protected characteristics. We welcome applications from women, men and non-binary candidates of all ethnicities and socio-economic backgrounds. We encourage people belonging to underrepresented groups to apply.