Information Security Engineer

CBTS is seeking an Information Security Engineer to support their Enterprise Vulnerability Management Application Security program. The role involves triaging vulnerability submissions, validating findings, and ensuring effective communication with engineering teams to prioritize and track vulnerabilities.

Responsibilities:

• Review and triage vulnerability submissions from external researchers
• Validate technical accuracy, exploitability, and business impact
• Assess severity using established scoring models and program standards
• De-duplicate and disposition invalid or non-actionable submissions
• Classify vulnerabilities using established taxonomy
• Identify and assign remediation owners; track within centralized tools
• Evaluate false positive requests from application teams
• Analyze SAST/SCA scanner findings and perform source code review as needed
• Provide evidence-based dispositions with clear rationale
• Contribute to continuous improvement of triage standards, playbooks, and procedures
• Maintain awareness of common application security vulnerabilities and emerging threats
• Ensure vulnerability handling aligns with internal policies and regulatory expectations
• Maintain defensible documentation for audit and internal review
• Escalate high-risk or time-sensitive vulnerabilities appropriately
• Communicate findings, impact, and remediation guidance clearly to technical and non-technical audiences
• Partner with application and engineering teams to enable timely remediation

Requirements:

• Bachelor's degree in Computer Science, Information Security, or a related field — or equivalent practical experience
• 3–5 years of experience in information security, application security, or vulnerability management
• Strong understanding of application security principles and common vulnerabilities (e.g., OWASP Top 10)
• Experience with vulnerability triage, validation, and prioritization
• Familiarity with SAST, SCA, and DAST scanning tools and their outputs
• Ability to read and analyze source code to validate vulnerability findings
• Strong analytical skills for assessing exploitability and business risk
• Experience with vulnerability management or tracking platforms (ticketing systems, dashboards)
• Excellent written and verbal communication skills across technical and non-technical audiences
• Strong attention to detail and ability to make defensible, well-documented decisions
• Experience working with distributed or offshore teams
• Financial industry background