- Location
- Manila, PH
- Type
- Full-time
- Department
- Engineering
Description
Application Security Engineer
Department: Engineering
Employment Type: Full Time
Location: Manila, PH
Reporting To: Andy Buckley
Description
A little about you...
- Read and write real code. Review pull requests for security-relevant changes and contribute fixes directly rather than filing tickets and walking away.
- Manually assess applications and APIs — find, exploit, and prove real vulnerabilities, and distinguish genuine risks.
- Build secure building blocks: reviewing libraries, safe wrappers, auth patterns, and paved-road templates so the easy way is the secure way.
- Perform threat modelling and design reviews on new features, working from how the system actually behaves, not a checklist.
- Automate security into CI/CD (Octopus deploy/Azure DevOps)
- Fix vulnerabilities; When you find a bug, ask what pattern allowed it and eliminate the pattern.
- Support incident investigation and remediation for application security issues and get hands-on with logs, code, and root cause.
- Level up engineers through code, examples, and quarterly training
- Help shape standards and priorities for the wider engineering teams (this is a small team; you'll have real influence, but the day job is engineering).
- Stay updated with the latest security threats, vulnerabilities, and industry trends to proactively address potential risks
- Advocate for security best practices and influence engineering culture to prioritize security
- Evaluate and adopt new security tools and technologies to enhance the security posture
- Participate incident response efforts for application security incidents, including investigation and remediation
- Collaborate with compliance teams to ensure applications meet regulatory and industry-specific security requirements (e.g., GDPR, ISO 27001)
- Implement and oversee security tools and technologies such as SAST, and DAST solutions
- Facilitate security architecture reviews and threat modelling sessions for new and existing applications
- Report on security metrics and KPIs to senior management, providing insights into the security posture and areas for improvement
- Drive continuous improvement, fostering a culture of security awareness and proactive risk management
- Coordinate with third-party vendors and security consultants as needed for specialised assessments or audits
About the role...
- Strong software engineering background — you've written and shipped production code, ideally in .NET and/or TypeScript/React, and you can drop into an unfamiliar codebase and reason about it.
- Solid application security experience securing web apps and APIs.
- Demonstrated ability to find vulnerabilities manually and explain both the exploit and the fix.
- Comfortable integrating and, crucially, tuning security testing in CI/CD so the output is trustworthy.
- You've influenced engineers as a peer, through code and pragmatism.
- Offensive/practical certs like OSCP, or an equivalent
- Cloud security depth in AWS and/or Azure; container/orchestration security.
- Familiarity with GDPR, ISO 27001, SOC 2 as constraints to engineer around.
- Expert knowledge of application security principles, practices, and frameworks such as OWASP Top Ten, SANS/CWE Top 25
- Proficiency with security testing tools like Burp Suite, OWASP ZAP, Fortify, Checkmarx, SonarQube or similar
- Strong understanding of secure coding practices in languages and frameworks such as JavaScript, TypeScript, ReactJS, .NET, and others
- Familiarity with DevSecOps practices and integrating security tools into CI/CD pipelines
- Knowledge of authentication and authorization protocols such as OAuth, SAML, JWT, and multi-factor authentication
- Understanding of cloud security principles and experience with cloud platforms like AWS and/or Azure
- Experience with compliance standards and regulations like GDPR, ISO 27001, PCI DSS, and SOC 2
- Knowledge of encryption standards, key management, and data protection strategies
- Experience with incident response processes and security event management
- Excellent communication skills, adept at conveying security concepts to both technical and non-technical stakeholders
- High attention to detail with a commitment to maintaining the highest standards of security and quality
- Proactive and strategic thinker, able to anticipate security challenges and stay ahead of emerging threats
- Collaborative mindset, thriving in a cross-functional team environment and building strong relationships across departments
- Passionate about security, with a continuous desire to learn and stay updated on the latest industry trends and threats
- Resilient and adaptable, capable of handling high-pressure situations and making sound decisions during security incidents
- Ethical and trustworthy, maintaining the highest level of integrity in handling sensitive information