Bold Penguin is the premier digital broker for commercial insurance. As a Senior Application Security Engineer, you will strengthen the security of applications, identify and remediate vulnerabilities, and promote secure development practices while collaborating with development and infrastructure teams.
Responsibilities:
- Identify, triage, and remediate application vulnerabilities directly in the code — writing the fix and shepherding it through review and deployment with the owning team, not just filing tickets
- Validate and reproduce findings to eliminate false positives, assess real exploitability and business impact, and drive remediation to closure against defined SLAs
- Operate, tune, and continuously improve application security tooling (SAST, DAST, software composition analysis and dependency scanning, secrets scanning, and container/image scanning), integrating findings into developer workflows
- Embed security into CI/CD pipelines and Git-based workflows so vulnerabilities are caught automatically — and, wherever possible, fixed — before code reaches production
- Partner with development teams to define and roll out secure coding standards and pre-commit / pre-merge checks, shifting security left so issues are caught and fixed before code is committed
- Lead threat modeling for new features and architecture changes, and perform security-focused code reviews for sensitive changes
- Maintain application security standards (OWASP Top 10 prevention, input validation and output encoding, parameterized queries, secure-by-default design) and enforce secure API practices
- Strengthen software supply chain and repository security
- Maintain compliance with industry-standard frameworks and produce evidence for audits (SOC 2, NYDFS, and PCI DSS)
- Coach developers through hands-on enablement and a security champions program, and provide application security expertise during incident response
- Lead security projects independently, delivering them on time while aligning with business and security goals
- Other duties and responsibilities as assigned
Requirements:
- Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or relevant work experience
- Minimum of 4-6 years of practical experience in application security, secure software engineering or software engineering with a strong security focus
- Current, hands-on development ability in one or more languages used in modern web platforms (e.g., Python, JavaScript/TypeScript, Go, or Java) — you can read, write, and ship production code to fix vulnerabilities, not just describe them
- Deep, practical knowledge of the OWASP Top 10, common web and API vulnerability classes, and secure coding practices
- Hands-on experience with application security tooling categories — SAST, DAST, SCA / dependency scanning, and secrets scanning — and integrating them into developer workflows
- Experience performing threat modeling and security-focused code reviews
- Working knowledge of application security in a cloud environment (AWS preferred)
- Strong collaboration and communication skills — you can influence developers, explain remediation clearly, and make security the easy choice
- Relevant certifications such as OSWE, GWAPT, CSSLP, OSCP, or AWS Certified Security - Specialty
- Experience with multi-account cloud setups or advanced cloud security architectures
- Experience with container and Kubernetes security, and Infrastructure-as-Code security (e.g., Terraform)
- Experience working in a regulated environment (SOC 2, PCI DSS, NYDFS, or similar)
- Bug bounty participation, security research, CTF, or other offensive-security experience
- Background in InsurTech, FinTech, or another data-sensitive industry