Application Security Engineer

Role Overview

We are seeking a highly skilled Application Security Engineer with 6–8 years of experience to drive secure software

development, cloud security, and application security initiatives across enterprise environments.

The ideal candidate will possess strong hands-on expertise in Microsoft Azure, Azure DevOps, Secure SDLC, Threat

Modeling, Vulnerability Assessment & Penetration Testing (VAPT), Cloud Security, and Secure Application

Architecture. This role requires deep technical involvement in integrating security throughout the software

development lifecycle while supporting secure cloud adoption and compliance with organizational security

requirements.

This position is approximately 80% hands-on technical execution and 20% governance, standards, and security

advisory activities.

Key Responsibilities

DevSecOps & Secure SDLC

• Design, implement, and maintain secure CI/CD pipelines using Azure DevOps.
• Integrate security controls into all phases of the software development lifecycle.
• Embed DevSecOps practices across development, testing, deployment, and operational processes.
• Automate security testing and validation activities within CI/CD pipelines.
• Establish secure coding standards, security gates, and release controls.
• Collaborate with development teams to remediate security vulnerabilities and improve security posture.
• Develop reusable security controls, templates, and secure development frameworks.
  
  

Application Security

• Conduct secure code reviews for .NET, C#, Python, JavaScript, React, Angular, Node.js, and related technologies.
• Perform application security assessments against web applications, APIs, microservices, and cloud-native workloads.
• Identify security weaknesses and provide remediation guidance.
• Validate remediation activities and verify closure of identified vulnerabilities.
• Provide technical consultation on secure application architecture and design.
  
  

Vulnerability Assessment & Penetration Testing (VAPT)

• Perform hands-on vulnerability assessments and penetration testing for:
• Web applications
• APIs
• Mobile- iOS and Androido Cloud-hosted applications
• Azure environments
• SAST & DAST
• Secure Code Review
• Containers and Kubernetes platforms
• Conduct authenticated and unauthenticated security assessments.
• Execute manual validation of automated scan findings.
• Analyze and prioritize vulnerabilities based on business and technical risk.
• Support remediation efforts and perform retesting activities.
• Maintain awareness of emerging attack techniques and security threats.
  
  

Threat Modeling & Secure Design

• Independently conduct threat modeling exercises using STRIDE and industry-recognized methodologies.
• Develop and maintain threat libraries, attack trees, misuse cases, and secure design patterns.
• Facilitate threat modeling workshops with architects, developers, and project teams.
• Identify architectural security risks and recommend mitigation strategies.
• Review application and cloud solution designs from a security perspective.
  
  

Cloud Security Engineering (Azure)

• Design and implement security controls for Microsoft Azure environments.
• Secure Azure-native services including:
• Azure App Services
• Azure Kubernetes Service (AKS)
• Azure Storage
• Azure Key Vault
• Azure API Management
• Azure Functions
• Azure SQL Services
• Implement identity and access management controls using Microsoft Entra ID.
• Manage and optimize Microsoft Defender for Cloud, Defender for DevOps, Defender for Containers, and Defender XDR capabilities.
• Conduct Azure security reviews, architecture assessments, and configuration hardening activities.
• Implement security monitoring, alerting, and cloud security best practices.
  
  

Container & Kubernetes Security

• Secure containerized applications throughout the development lifecycle.
• Implement container image scanning and vulnerability management processes.
• Harden Kubernetes and AKS environments.
• Secure Kubernetes workloads, secrets management, ingress configurations, RBAC controls, and network policies.
• Implement runtime protection and container security monitoring capabilities.Technical Risk Assessments
• Perform application security risk assessments.
• Perform cloud security risk assessments.
• Perform infrastructure security assessments.
• Conduct technical security reviews for new projects and technology implementations.
• Evaluate security risks and recommend mitigation strategies.
• Develop risk reports and communicate findings to technical and business stakeholders.
  
  

Security Governance & Compliance

• Support compliance initiatives related to:
• NCA Essential Cybersecurity Controls (ECC)
• NCA Cloud Cybersecurity Controls (CCC)
• ISO 27001
• CIS Benchmarks
• Saudi Personal Data Protection Law (PDPL)
• Translate compliance requirements into technical security controls.
• Support security audits, assessments, and remediation activities.
  
  

Required Technical Exposure & Skills

DevSecOps & Automation

• Azure DevOps
• CI/CD Pipeline Design and Security
• Infrastructure as Code (Terraform, ARM, Bicep)
• Git and GitOps methodologies
• PowerShell, Python, and Bash scripting
• Secure release management practices
  
  

Application Security

• Secure SDLC
• OWASP Top 10
• OWASP API Security Top 10
• Secure Coding Practices
• Threat Modeling
• STRIDE Methodology
• Security Architecture Reviews
• Source Code Security Reviews
  
  

Security Testing

• Vulnerability Assessment
• Penetration Testing
• Web Application Security Testing
• API Security Testing
• Cloud Security Assessments
• Manual Security Testing Techniques
• Mobile Pentesting-iOS & Android
  
  

Security Tools

Experience With Six Or More Of The Following

• Microsoft Defender for Cloud
• Microsoft Defender for DevOps
• Microsoft Defender XDR
• GitHub Advanced Security
• SonarQube
• Checkmarx
• Veracode
• Fortify
• Snyk
• OWASP ZAP
• Burp Suite Professional
• Trivy
• Prisma Cloud
• Aqua Security
  
  

Cloud & Platform Security

• Microsoft Azure Security Architecture
• Microsoft Entra ID
• Azure Key Vault
• Azure API Management
• Azure Kubernetes Service (AKS)
• Container Security
• Kubernetes Security Engineering
• Identity & Access Management
• Secrets Management
  
  

Required Experience

• 6–8 years of experience in DevSecOps, Application Security, Cloud Security, or related cybersecurity
  
  

domains.

• Minimum 4 years of hands-on Azure security experience.
• Proven experience implementing DevSecOps practices in enterprise environments.
• Demonstrated experience performing hands-on VAPT activities.
• Proven experience conducting STRIDE-based threat modeling exercises.
• Experience securing cloud-native and containerized applications.
• Experience supporting compliance and regulatory security requirements.
• Experience working in Agile and DevOps environments.
  
  

Preferred Certifications

Three or more of the following certifications is highly desirable:

• CISSP
• CCSP
• OSCP
• OSWE
• GWAPT
• CEH
• GIAC Cloud Security Certifications
• Kubernetes Security Specialist (CKS)
• Kubernetes Administrator (CKA)
• Azure Security certifications or equivalent practical experience
  
  

Equivalent demonstrable experience may be considered in lieu of certifications.

Soft Skills

• Strong analytical and problem-solving abilities.
• Excellent communication and stakeholder management skills.
• Ability to translate technical risks into business impact.
• Strong collaboration skills across development, operations, architecture, and security teams.
• Self-driven with a continuous learning mindset.
• Ability to work independently and lead security initiatives.