Application Security Engineer

Role Overview

We are seeking a highly skilled Application Security Engineer with 6–8 years of experience to drive secure software development, cloud security, and application security initiatives across enterprise environments.

The ideal candidate will possess strong hands-on expertise in Microsoft Azure, Azure DevOps, Secure SDLC, Threat

Modeling, Vulnerability Assessment &

• Penetration Testing (VAPT), Cloud Security, and Secure Application

Architecture. This role requires deep technical involvement in integrating security throughout the software development lifecycle while supporting secure cloud adoption and compliance with organizational security requirements.

This position is approximately 80% hands-on technical execution and 20% governance, standards, and security advisory activities.

Key Responsibilities

DevSecOps &

• Secure SDLC

• Design, implement, and maintain secure CI/CD pipelines using Azure DevOps.
• Integrate security controls into all phases of the software development lifecycle.
• Embed DevSecOps practices across development, testing, deployment, and operational processes.
• Automate security testing and validation activities within CI/CD pipelines.
• Establish secure coding standards, security gates, and release controls.
• Collaborate with development teams to remediate security vulnerabilities and improve security posture.
• Develop reusable security controls, templates, and secure development frameworks.

Application Security

• Conduct secure code reviews for .NET, C#, Python, JavaScript, React, Angular, Node.js, and related technologies.
• Perform application security assessments against web applications, APIs, microservices, and cloud-native workloads.
• Identify security weaknesses and provide remediation guidance.
• Validate remediation activities and verify closure of identified vulnerabilities.
• Provide technical consultation on secure application architecture and design.

Vulnerability Assessment &

• Penetration Testing (VAPT)

• Perform hands-on vulnerability assessments and penetration testing for:

Web applications

APIs

• Mobile- iOS and Androido Cloud-hosted applications

Azure environments

• SAST &
  • DAST

  Secure Code Review

  Containers and Kubernetes platforms

• Conduct authenticated and unauthenticated security assessments.
• Execute manual validation of automated scan findings.
• Analyze and prioritize vulnerabilities based on business and technical risk.
• Support remediation efforts and perform retesting activities.
• Maintain awareness of emerging attack techniques and security threats.

Threat Modeling &

• Secure Design

• Independently conduct threat modeling exercises using STRIDE and industry-recognized methodologies.
• Develop and maintain threat libraries, attack trees, misuse cases, and secure design patterns.
• Facilitate threat modeling workshops with architects, developers, and project teams.
• Identify architectural security risks and recommend mitigation strategies.
• Review application and cloud solution designs from a security perspective.

Cloud Security Engineering (Azure)

• Design and implement security controls for Microsoft Azure environments.
• Secure Azure-native services including:

Azure App Services

Azure Kubernetes Service (AKS)

Azure Storage

Azure Key Vault

Azure API Management

Azure Functions

Azure SQL Services

• Implement identity and access management controls using Microsoft Entra ID.
• Manage and optimize Microsoft Defender for Cloud, Defender for DevOps, Defender for Containers, and Defender XDR capabilities.
• Conduct Azure security reviews, architecture assessments, and configuration hardening activities.
• Implement security monitoring, alerting, and cloud security best practices.

Container &

• Kubernetes Security

• Secure containerized applications throughout the development lifecycle.
• Implement container image scanning and vulnerability management processes.
• Harden Kubernetes and AKS environments.
• Secure Kubernetes workloads, secrets management, ingress configurations, RBAC controls, and network policies.
• Implement runtime protection and container security monitoring capabilities.Technical Risk Assessments
• Perform application security risk assessments.
• Perform cloud security risk assessments.
• Perform infrastructure security assessments.
• Conduct technical security reviews for new projects and technology implementations.
• Evaluate security risks and recommend mitigation strategies.
• Develop risk reports and communicate findings to technical and business stakeholders.

Security Governance &

• Compliance

• Support compliance initiatives related to:
• NCA Essential Cybersecurity Controls (ECC)
• NCA Cloud Cybersecurity Controls (CCC)

ISO 27001

CIS Benchmarks

• Saudi Personal Data Protection Law (PDPL)
• Translate compliance requirements into technical security controls.
• Support security audits, assessments, and remediation activities.

Required Technical Exposure &

• Skills

DevSecOps &

• Automation

Azure DevOps

• CI/CD Pipeline Design and Security
• Infrastructure as Code (Terraform, ARM, Bicep)

Git and GitOps methodologies

• PowerShell, Python, and Bash scripting

Secure release management practices

Application Security

Secure SDLC

OWASP Top 10

• OWASP API Security Top 10

Secure Coding Practices

Threat Modeling

STRIDE Methodology

Security Architecture Reviews

Source Code Security Reviews

Security Testing

Vulnerability Assessment

Penetration Testing

Web Application Security Testing

API Security Testing

Cloud Security Assessments

Manual Security Testing Techniques

• Mobile Pentesting-iOS &
  • Android

Security Tools

Experience With Six Or More Of The Following

Microsoft Defender for Cloud

Microsoft Defender for DevOps

Microsoft Defender XDR

GitHub Advanced Security

SonarQube

Checkmarx

Veracode

Fortify

Snyk

OWASP ZAP

Burp Suite Professional

Trivy

Prisma Cloud

Aqua Security

Cloud &

• Platform Security

Microsoft Azure Security Architecture

Microsoft Entra ID

Azure Key Vault

Azure API Management

Azure Kubernetes Service (AKS)

Container Security

Kubernetes Security Engineering

• Identity &
  • Access Management

  Secrets Management

Required Experience

• 6–8 years of experience in DevSecOps, Application Security, Cloud Security, or related cybersecurity

domains.

• Minimum 4 years of hands-on Azure security experience.
• Proven experience implementing DevSecOps practices in enterprise environments.
• Demonstrated experience performing hands-on VAPT activities.
• Proven experience conducting STRIDE-based threat modeling exercises.
• Experience securing cloud-native and containerized applications.
• Experience supporting compliance and regulatory security requirements.
• Experience working in Agile and DevOps environments.

Preferred Certifications

Three or more of the following certifications is highly desirable:

CISSP

CCSP

OSCP

OSWE

GWAPT

CEH

GIAC Cloud Security Certifications

Kubernetes Security Specialist (CKS)

Kubernetes Administrator (CKA)

• Azure Security certifications or equivalent practical experience

Equivalent demonstrable experience may be considered in lieu of certifications.

Soft Skills

• Strong analytical and problem-solving abilities.
• Excellent communication and stakeholder management skills.
• Ability to translate technical risks into business impact.
• Strong collaboration skills across development, operations, architecture, and security teams.
• Self-driven with a continuous learning mindset.
• Ability to work independently and lead security initiatives.