Application Security Engineer

JOB DESCRIPTION

Application Security Engineer

Department:

Technologies – Infrastructure

Reports to:

Security Operations Manager

1. Position Summary

The Application Security Engineer is responsible for safeguarding the organization’s application landscape by embedding security into every step of the software development lifecycle (SDLC). The role requires a deep understanding of application security principles, penetration testing, threat modelling, secure coding practices, and modern DevSecOps methodologies.

The ideal candidate will work closely with development, project teams, and broader technology functions to proactively identify vulnerabilities, conduct in‑depth security assessments, and implement preventative controls. The role demands hands‑on experience with SAST/DAST tools, application penetration testing, API security, and the ability to integrate security controls within CI/CD pipelines.

This position operates in a fast‑paced environment requiring strong technical expertise, excellent communication skills, and the ability to translate complex security findings into actionable remediation guidance. The successful candidate will play a critical role in maturing the organization’s application security posture and ensuring compliance with industry best practices and global security standards.

Responsibilities:

· Integrate security into all phases of the SDLC by collaborating with development, QA, project, and architecture teams.

· Conduct comprehensive application security assessments, including manual and automated code reviews, DAST/SAST analysis, and penetration testing for web, mobile, and API-based applications.

· Perform design and architecture reviews, including threat modelling using frameworks such as STRIDE and PASTA.

· Identify vulnerabilities and provide remediation guidance aligned with secure coding standards and frameworks such as OWASP Top 10, OWASP ASVS, NIST 800‑115, and CWE.

· Develop and maintain application security policies, secure coding guidelines, and best practice references.

· Support integration of security tooling into CI/CD pipelines.

· Review and improve security processes, focusing on optimization and automation opportunities.

· Conduct cloud and infrastructure penetration tests when required, in coordination with infrastructure teams.

· Manage and validate vulnerability findings using enterprise vulnerability management systems.

· Assist development teams in debugging and resolving security vulnerabilities, ensuring timely remediation.

· Participate in incident response activities related to application-layer attacks.

· Maintain up‑to‑date knowledge of emerging threats, exploit techniques, and evolving security technologies.

· Provide clear technical documentation, reports, and executive summaries of assessment results.

· Support internal audits, compliance requirements, and risk assessments related to application security.

· Promote secure-by-design principles and contribute to the organization’s DevSecOps strategy.

· Ensure full compliance with Information Security and Assurance policies, industry standards, and applicable regulatory requirements by embedding governance and controls across the application lifecycle.

· Develop, maintain, and enforce application and system hardening baselines aligned with CIS Benchmarks and other security configuration standards.

· Participate in 24×7 support during critical application security incidents, investigations, and urgent remediation activities as required.

· Contribute to security-related initiatives and projects, performing additional duties as assigned to support evolving business and technology needs within the security program.

Required Experience

· 5-7 years of professional experience in application security, penetration testing, or related security engineering roles.

· Demonstrated hands‑on experience in application penetration testing using tools such as Burp Suite, OWASP ZAP, and related exploitation frameworks.

· Strong knowledge of OWASP Top 10, OWASP ASVS, OWASP SAMM, and secure SDLC frameworks.

· Experience performing threat modelling and reviewing application architecture designs.

· Hands‑on expertise with SAST/DAST tools and integrating them into CI/CD workflows.

· Working knowledge of vulnerability management process and tools.

· Practical experience reviewing code in languages such as JavaScript, TypeScript, Java, or similar.

· Good understanding of microservices, REST APIs, authentication/authorization mechanisms, and modern application frameworks.

· Basic scripting proficiency (Python, Bash, or PowerShell).

· Familiarity with container security, cloud-native security concepts, and DevSecOps practices.

· Understanding of networking, TCP/IP fundamentals, and common attack vectors.

Education:

· BSc/BA in Computer Science, Cybersecurity, Information Technology, or equivalent professional experience.

Industry Qualifications:

· OSWE, OSCP, OSWA, GPEN, GWAPT, GCPN, or similar security certifications.

· Certifications in secure coding, cloud security, or application security standards.

· DevSecOps‑related certifications are an advantage.

Key Behaviours / Competencies

· Strong analytical and problem‑solving skills with attention to detail.

· Ability to work independently, prioritize workload, and meet defined deadlines.

· Excellent communication skills, with the ability to explain technical vulnerabilities to non‑technical stakeholders.

· Demonstrated ability to operate effectively in high‑pressure environments.

· A mindset focused on continuous improvement, innovation, and automation.

· Strong collaboration and teamwork skills across multidisciplinary teams.

· Ability to evaluate applications from both attack and defense perspectives.

· Demonstrate a customer‑first mindset by enabling secure, frictionless digital experiences.

· Balance security requirements with business needs to support secure innovation.

· Provide clear, empathetic, and actionable guidance to internal stakeholders.

· Ensure security processes support transparency, agility, and minimal disruption to delivery teams.

5. Primary Contacts

o Information Security Team

o Development Leads / Testing Teams

o Project Managers

o Security Operations Center (SOC)

o Architecture & Governance Team

o Internal and External Auditors

Job Types: Temporary, Contract
Contract length: 12 months

Pay: BD1,000.000 - BD1,500.000 per month