Application Security Engineer (ServiceNow Instance Security)
Team: Global Security Support Center (GSSC) – Application Security (AppSec)
About the Team: The Global Security Support Center (GSSC) plays a critical role in strengthening ServiceNow’s internal and external security posture and acts as a key interface with customers on security-related matters.
GSSC AppSec is a globally distributed team responsible for executing the Customer Penetration Testing & Security Findings (CPT & SF) program, partnering across the Security Organization to reduce risk, handle escalations, and represent the voice of the customer.
This role is focused on ServiceNow instance security—helping customers and internal teams identify, understand, and remediate insecure configurations and instance-level security gaps.
Role Summary: As an Application Security Engineer in GSSC AppSec, you will secure ServiceNow instances by identifying configuration-driven security risks, validating customer-reported findings, and driving clear, actionable remediation guidance.
This is a hands-on technical role that blends application security expertise with deep ServiceNow platform knowledge. At the senior end of the range, you will operate with minimal direction, own complex instance-security problem spaces, and influence how GSSC AppSec scales instance security guidance and posture improvements globally.
Key Responsibilities
ServiceNow Instance Security & Hardening
• Assess ServiceNow instance configurations against security baselines and identify misconfigurations that impact confidentiality, integrity, or availability.
• Develop and maintain prescriptive instance-hardening guidance covering authentication, access controls, encryption, logging, monitoring, and operational security.
• Translate security requirements and risk into clear, customer-consumable recommendations that can be implemented by teams with varying security maturity.
• Identify recurring misconfiguration patterns and drive systemic improvements (guidance, tooling, checks).
AppSec & Customer Security Findings (CPT & SF)
• Triage, validate, and contextualize customer-reported security findings where instance configuration or deployment patterns are a contributing factor.
• Distinguish between product vulnerabilities vs. configuration issues, documenting impact and appropriate remediation paths.
• Partner with Product Security, Engineering, and other Security teams to resolve complex or high-impact findings.
• Support escalations and high-visibility customer interactions as an instance-security subject-matter expert.
Required Qualifications
• Strong foundation in application security (vulnerability analysis, secure design principles, threat modeling mindset).
• Ability to read, write, and debug code to validate findings and understand security impact.
• Experience translating security risk into actionable remediation guidance.
• Excellent written and verbal communication skills, especially for customer-facing or executive-visible content.
Preferred Qualifications
• Hands-on experience with the ServiceNow platform, especially platform security features, configuration, and administration.
• Familiarity with SaaS security posture management and misconfiguration risk.
• Prior experience supporting customer-reported security findings, escalations, or external security reviews.
• Experience influencing security outcomes without direct authority (cross-functional collaboration).
What Success Looks Like
• Customers and internal teams receive clear, accurate, and actionable guidance to secure their ServiceNow instances.
• Reduced repeat instance-security issues through improved baselines, guidance, and detection.
• Faster, higher-confidence triage of customer-reported security findings tied to instance configuration.
• GSSC AppSec becomes more scalable and consistent in how it addresses instance-level security risk.
Education: Strong foundation in application security (vulnerability analysis, secure design principles, threat modeling mindset).
Frequently Asked Questions
• Based on the job description, what are the must have non-negotiable items that a candidate must have to be successful in this role?
Securing the ServiceNow Platform, know how to create ACL or any other ServiceNow security controls, reading, writing and debugging code
• Does this position require to sit onsite or travel?
No
• Does this person have to work in a specific time zone? (e.g. - If a person on the East Coast can work PST, is that ok?)
Flexible
• Does this position have the opportunity to extend beyond the initial contract or convert to FTE?
To be discussed
• Is there a specific laptop that needs to be used for this role (i.e. - Mac or Windows)?
Which ever the user is comfortable with, windows could be more of a challenge because of our tools. They would need to be willing to possibly self-support.
Never miss an opportunity! Create an alert based on the job you applied for.
