Application Security Engineer

About the Role:

You will join the Global Security Support Center (GSSC) Application Security team, which is responsible for managing the entire lifecycle of security findings reported by customers and penetration testers. This is a hands-on role that requires a deep understanding of security issues. You will triage real vulnerability reports, configure the Client instance to reflect the customer's setup, communicate directly with enterprise customers, and dive into the platform-level code to validate and assess security concerns.

As a trusted security advisor, you will handle high-impact security vulnerabilities, investigate internal systems for duplication or remediation plans, and track security issues in collaboration with engineering teams. You will also demonstrate risk levels to implement appropriate risk mitigation controls.

What You'll Do

• Triage security findings submitted via customer channels validate exploitability, assess scope, assess risk, and determine remediation path.
• Analyze platform-level vulnerabilities across web, API, and server-side attack surfaces (SSRF, IDOR, blind query injection, SQLi, XSS, GraphQL abuse, privilege escalation, etc).
• Write customer-facing security assessments technically enough to satisfy CISO, clear enough for an account team to deliver.
• Coordinate with engineering on defect filing, backport decisions, and patch validation.
• Reproduce and verify reported vulnerabilities in lab environments (PDI/cloud instances/Local).
• Review code (JavaScript/Java) to trace attack paths and validate fix completeness.

What You Bring

Required:

• Comfortably navigate a Client instance and reason about security in the Now Platform context.
• Understand key platform mechanisms: ACLs/roles, scoped apps, business rules, scripted REST APIs, and data access patterns (GlideRecord/Table API).
• Mirror a customer scenario in a lab tenant to reproduce and validate reported issues.
• Trace the relevant server-side/client-side code path and clearly communicate scope and impact (what is and isn t affected).
• 3+ years in application security pentesting, bug bounty, or product security engineering.
• Strong working knowledge of OWASP Top 10 and beyond: prototype pollution, server-side injection, SSRF, IDOR, GraphQL attack surface.
• Ability to read and trace code across JavaScript and Java codebases
• Experience writing technical security reports for both engineering and executive audiences.
• CVSS scoring fluency not just the number, but the reasoning

Nice to Have:

• Advanced Saas platform experience (e.g., custom app development or deep familiarity with the ACL model and scoping boundaries)
• Background in customer-facing security roles or managed security services
• Familiarity with bug bounty programs (HackerOne, Bugcrowd) from the triage side
• Security certifications (GWEB, GWAPT, OSCP, or equivalent)