Application Security Vulnerability Assessment Engineer - Brooklyn, NY

Job Title: Application Security Vulnerability Assessment Engineer

Location: Brooklyn, NY 11201 onsite

Due Date: 02/11/2026 09:00

24 Months

Job Summary:

Scope Of Services

• Client seeks an Application Security Vulnerability Assessment Engineer to perform scanning and testing activities for the Software Security Assurance Program (SSAP).
• The Engineer will be responsible for identifying, validating, and providing remediation guidance for vulnerabilities across the organization's application portfolio. The primary focus is the operation and fine-tuning of SAST/DAST tooling to provide high-fidelity security baselines, followed by manual validation of results.
• The Engineer will also provide direct, technical remediation guidance to development teams and lead structured knowledge transfer sessions to train full-time staff.

Tasks:

• Operate and maintain industry-standard SAST/DAST tooling, including HCL App Scan, Veracode, and Burp Suite, to ensure continuous security coverage.
• Scope application assessments by identifying all critical components and APIs required to establish a comprehensive security baseline.
• Configure and fine-tune scan profiles and parameters to eliminate noise, reduce false positives, and ensure repeatable, high-fidelity results.
• Manage the full lifecycle of authenticated and unauthenticated scans, including the coordination of application profiles, security profiles, and automated schedules.
• Validate automated scanner findings through manual testing and exploit reproduction to confirm technical impact.
• Document false positives with detailed root-cause analysis and technical justification for audit trails.
• Identify recurring vulnerability patterns and systemic architectural weaknesses across application portfolios.
• Generate defensible vulnerability reports that include step-by-step evidence for engineering teams and high-level summaries for management.
• Prioritize remediation efforts by correlating technical severity with business criticality and data sensitivity.
• Partner with development teams to translate complex security findings into clear, actionable technical requirements that can be easily ingested into their remediation workflows.
• Prescribe specific coding guidance and design-level mitigations to resolve identified vulnerabilities.
• Implement compensating controls when direct remediation is not technically feasible or requires long-term architectural changes.
• Lead working sessions and technical walkthroughs to assist developers in accelerating the "time-to-fix."
• Lead structured knowledge transfer sessions to train full-time staff on assessment methodologies and security best practices.

Mandatory Skills/Experience

• Minimum of 12 years of hands-on experience in Application Security, Vulnerability Assessments, or Penetration Testing.
• Advanced proficiency in applying OWASP Top 10 and NIST 800-53 standards.
• Practical experience operating and configuring SAST/DAST tools (e.g. AppScan, Veracode, Burp Suite).
• Proven ability to explain technical vulnerabilities to developers and provide specific, design-level remediation guidance.
• Proficiency in using CVSS (Common Vulnerability Scoring System) to correlate technical severity with business impact and data sensitivity.

Desirable skills/experience:

• Experience testing cloud-native apps (AWS/Azure/Google Cloud Platform), APIs, and microservices.
• Strong understanding of Agile/SDLC cycles to effectively coordinate with developers and project managers.
• Proficiency in manual, deep-dive testing to validate automated findings and identify complex business logic flaws.
• Background working with large, complex organizations or government/public sector environments.