Application Security Engineer, Application Security Lead (DevSecOps / Azure DevOps)

Role Overview

• Job Title: Application Security Engineer, Application Security Lead (DevSecOps / Azure DevOps)
• Work Set‑up: Hybrid in Cubao, Quezon City
• Work Shift: Day shift
• Salary Budget: ₱50,000 – ₱70,000 (up to ₱80,000 joining bonus)

Responsibilities

• Embed security into the SDLC by partnering with engineering and DevOps teams across planning, design, build, test, and release.
• Implement and maintain application security testing programs, including:
  • SAST (Static Application Security Testing)
  • DAST (Dynamic Application Security Testing)
  • SCA (Software Composition Analysis)
  • IAST (Interactive Application Security Testing)
  • RASP (Runtime Application Self‑Protection)
• Integrate security scanning and quality gates into Azure DevOps pipelines (Build/Release), ensuring repeatable and automated controls.
• Perform API security testing, including authentication/authorization validation, rate‑limiting checks, schema validation, and abuse testing.
• Conduct and/or coordinate security penetration testing and validate remediation effectiveness.
• Lead threat modeling and secure design reviews for new features, services, and architectures (microservices, serverless, containerized workloads).
• Establish vulnerability triage and remediation workflows: verify findings, reduce false positives, prioritize by risk, and track to closure.
• Define and promote secure coding standards and provide hands‑on guidance (code review support, secure patterns, reference implementations).
• Support cloud security posture for application layers across Azure, AWS, and/or GCP, including identity, secrets, network exposure, and service configurations.
• Implement secrets management and secure configuration practices (e.g., key vault usage, environment hardening, least privilege).
• Build dashboards and metrics to report coverage and progress (scan coverage, mean time to remediate, vulnerability trends, SLA compliance).
• Evaluate and onboard AppSec tools and solutions; optimize pipelines for performance, reliability, and developer experience.
• Run enablement sessions (training, brown‑bag) to raise developer security maturity and reduce recurring issues.
• Participate in incident response activities related to application vulnerabilities, including root‑cause analysis and prevention improvements.

Core Technical Requirements

• Strong hands‑on experience with SAST – tooling, tuning, triage, and remediation guidance.
• Strong hands‑on experience with DAST – scanning strategies, authenticated scans, result validation.
• Strong hands‑on experience with SCA – open‑source risk, license/compliance basics, dependency hygiene.
• Experience with IAST and/or ability to operationalize runtime testing approaches.
• Experience with RASP concepts and/or runtime security controls in production.
• Proven capability in API Security Testing (OWASP API Top 10; authN/authZ, token handling, mass assignment, rate limits).
• Experience conducting Security Penetration Testing (web apps, APIs) and translating findings into actionable fixes.
• Strong knowledge of common application vulnerabilities (OWASP Top 10), secure coding patterns, and security testing methodologies.

Nice‑to‑Have (Optional)

• Experience with common AppSec tools (examples): Fortify, Checkmarx, Veracode, SonarQube (SAST); OWASP ZAP, Burp (DAST); Snyk, Mend, Black Duck (SCA).
• Experience with WAF, API gateways, or service‑mesh security controls.
• Security certifications (e.g., CSSLP, GWAPT, OSCP) or cloud certifications (AZ‑500, AWS Security Specialty, GCP Security Engineer).

Other Details

• Open to applicants who are currently in the Philippines and have the right to live and work in the country.
• Minimum 2 years of relevant professional experience.
• Minimum 2 years of experience in Android malware reverse engineering.
• Must not have an active or recent application with Accenture.
• Must be amenable to a hybrid set‑up in Cubao, Quezon City.