Sr. Application Security Engineer

Problems You Will Solve

• Partner with engineering and product teams to define and implement security requirements for applications, APIs, and microservices during design and architecture reviews.
• Conduct in-house penetration testing, secure code reviews, and threat modeling for high-impact features and critical products.
• Lead application vulnerability management, including triaging and driving the remediation of security findings from SAST, DAST, SCA, and penetration tests.
• Consult and advise cross-functional teams (engineering, DevOps, product) on secure coding practices, security architecture, and remediation strategies.
• Establish and maintain application security standards, guidelines, and best practices, aligned with OWASP, NIST, ISO, and industry frameworks.
• Ensure vulnerabilities are classified, prioritized, and remediated according to vulnerability management policies and regulatory requirements.
• Work closely with DevSecOps teams to ensure SAST/DAST/IAST/SCA tools are integrated into CI/CD pipelines and functioning effectively.
• Track and manage security issues to resolution, providing metrics, reports, and dashboards for leadership visibility.
• Stay up-to-date with emerging security threats, vulnerabilities, tools, and methodologies to continuously improve Prosper’s security posture.

All About You

• Bachelor’s degree in Computer Science, Information Security, or related field, with 8+ years of relevant experience (or Master’s degree with 6+ years).
• Strong hands-on experience in application security, secure coding, and penetration testing.
• Development background with expertise in Java/Python, SQL, JavaScript, HTML and experience reviewing modern application architectures.
• Experience working with modern web application frameworks (e.g., Spring Boot, .NET, J2EE, Rails, REST, SOAP).
• In-depth understanding of web and API security vulnerabilities (e.g., OWASP Top 10, API Top 10, CWE).
• Familiarity with authentication and authorization protocols (e.g., OAuth2, OIDC, SAML).
• Knowledge of application security testing tools (SAST, DAST, SCA, IAST) and methodologies.
• Proven experience working with DevOps/DevSecOps pipelines, integrating security tools and automation.
• Strong understanding of vulnerability management processes and regulatory frameworks (e.g., PCI DSS, GDPR, SOC 2).
• Bonus: Knowledge of cloud security (AWS, GCP, Azure) and container security (Docker, Kubernetes).
• Security experience in Agile, CI/CD, and fast-paced product development environments.
• Preferred: Industry certifications such as OSCP, CSSLP, GWAPT, CEH, GPEN, CISSP.
• Preferred: Familiarity with mobile application security testing and API security testing tools (e.g., Burp Suite, Postman, ZAP, Insomnia).
• Preferred: Knowledge of network security, infrastructure security, and microservices architecture.
• Preferred: Experience driving secure SDLC initiatives and developer security education.

What We Offer

• The opportunity to collaborate with a team of creative, fun, and driven colleagues on products that have an immediate and significant impact on people's lives
• The opportunity to work in a fast-paced environment with experienced industry leaders
• Flexible time off, comprehensive health coverage, competitive salary, paid parental leave
• Wellness benefits including access to mental health resources, virtual HIIT and yoga workouts
• A bevy of other perks including Udemy access, childcare assistance, pet insurance discounts, legal assistance, and additional discounts