Job Title: Application Security Engineer
Location: Hybrid; Charlotte, NC or New York, NY
Contract length: 6 months then conversion
Schedule: Fulltime, 40 hrs/week
Pay: $65/hr to $72/hr

Job Overview:
Our client's cybersecurity department is seeking an Application Security Engineer. This role will be an integral component of the application security program end-to-end--from discovery and inventory of business unit applications, through tooling implementation, through embedding security and AI-assisted controls into business unit DevOps pipelines. This is as much a relationship and influence role as it is a technical role; success requires partnering effectively with Hearst subsidiaries. This is a hybrid on-site position, with a requirement to be in office three times per week.

Job Responsibilities:

• Application discovery and inventory across all business units, including ownership mapping, technology stack profiling, and risk tiering
• Standing up and operating the AppSec tooling stack--SAST, SCA, secrets scanning, and container/IaC scanning--integrated into business unit CI/CD pipelines
• Designing and implementing AI-assisted triage workflows on top of AppSec tooling so that finding volume does not overwhelm developers and false positives are filtered before reaching engineering teams
• Defining secure SDLC requirements, threat modeling practices, and security gates that business units adopt as part of their standard development process
• Partnering with business unit development leaders to build the relationships and shared playbooks needed to operationalize AppSec without becoming a blocker to delivery
• Contributing to AI security strategy--evaluating emerging tools (AI code review assistants, agentic security testing, automated security requirement generation) and recommending what to operationalize and what to defer
• Producing executive-ready metrics and reporting that connect AppSec activity to business risk reduction

• 7+ years in application security, product security, or security engineering, with at least 3 years in environments with multiple independent business units, brands, or product lines
• Hands-on experience deploying and operating modern AppSec tooling (e.g., Semgrep, Snyk, Checkmarx, Veracode, Apiiro, Ox Security, GitHub Advanced Security)
• Working code-level proficiency in at least three commonly-used languages (e.g., Python, JavaScript/TypeScript, Java, C#, Go) sufficient to read, review, and triage findings
• Strong scripting and automation skills in Python or equivalent; comfortable building integrations against REST APIs and operating in CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps)
• Demonstrated ability to influence engineering organizations without direct authority--negotiating standards, driving adoption, and partnering with development leaders
• Practical understanding of OWASP Top 10, threat modeling methodologies (STRIDE, PASTA, or equivalent), and modern attack patterns, including supply chain risks

• Experience integrating LLM-based tooling into security workflows (alert triage, finding summarization, remediation guidance generation)
• Familiarity with one or more compliance frameworks relevant to our environment (HITRUST, HIPAA, NIST AI RMF, SOC 2)
• Prior experience working in a regulated or healthcare-adjacent environment
• Cloud security depth in at least one major provider (AWS, Azure, GCP)
• Public contribution to AppSec community--OSS, conference talks, published research, or detection/rule contributions