Application Security Engineer

Project Description: Application & Infrastructure Security Consultant is an embedded security partner within Enterprise Solutions (ES) product engineering teams. The role is responsible for continuously assessing and improving the security posture of the ES technology estate - spanning application code, CI/CD pipelines, cloud infrastructure (primarily AWS), multi-tenant platform components, and AI/agentic system integrations. This is a hands-on, engineering-facing role.

The consultant works alongside development teams day to day, identifying vulnerabilities and security risks early in the delivery lifecycle, translating findings into actionable remediation guidance, and directly implementing security improvements through code changes and infrastructure updates where appropriate. The role exists to shift security left - to the point where it is a natural part of how ES engineering teams design, build, and operate - rather than a gate or an afterthought. Success is measured by the sustained reduction of exploitable risk across ES platforms, the maturity of security practices within engineering teams, and the quality of security controls in production systems.

Responsibilities :Embedded Security Assessmen tPartner closely with application development teams, participating in sprint planning, design reviews, and code reviews to identify and mitigate security risks early in the delivery lifecycle .Assess application security posture across all phases of delivery including architecture, source code, dependencies, APIs, authentication and authorisation mechanisms, data handling practices, and runtime behaviour .Conduct threat modelling for new features, architectural changes, AI/agentic system integrations, and multi-tenant platform components, communicating identified risks in terms meaningful to both engineering and business stakeholders .Evaluate CI/CD pipeline security including configurations, secrets management, artifact integrity, dependency supply-chain risks, and access controls .Review cloud infrastructure (AWS) configurations to identify security gaps across identity and access management, network design, data protection, workload hardening, logging, and monitoring .Assess multi-tenant boundary controls to identify cross-tenant data access paths, context confusion, and shared-resource leakage risks .Assess AI and agentic system components including prompt injection risks, tool-call trust boundaries, agent privilege scope, MCP/orchestration layer exposures, and model output handling. Apply OWASP Top 10 for LLMs and emerging adversarial AI guidance .Evaluate secrets management posture across repositories, CI/CD pipelines, environment configurations, serverless functions, and managed secrets services .Perform security-focused code reviews, identifying OWASP Top 10 vulnerabilities as well as language and framework-specific security issues Remediation Guidance & Implementati onProduce clear, prioritised remediation recommendations with sufficient technical detail to enable development teams to remediate issues independentl y.Directly implement security fixes where appropriate, including code changes, infrastructure-as-code (IaC) updates, CI/CD pipeline hardening, and cloud configuration correction s.Provide hands-on support to developers through pairing, targeted guidance, and practical code example s.Validate the effectiveness of remediations through retesting and evidence collectio n.Track, manage, and report remediation progress against documented security findings, including framing of residual risk and regulatory exposure where relevan t. Application Secur ityAssess authentication and authorisation implementations including OAuth 2.0/OIDC, JWT, RBAC/ABAC, session management, and service-to-service authentication patter ns.Review API security controls including input validation, rate limiting, schema enforcement, error handling, and gateway policies.

Assess both REST and GraphQL surfac es.Evaluate data protection practices including encryption in transit and at rest, PII and financial data handling, tokenisation, secrets management, and data minimisati on.Identify insecure design patterns and recommend secure alternatives aligned with OWASP and industry best practic es.Assess data layer security including database access controls, ORM injection paths, and data-tier privilege abuse patterns relevant to financial data environmen ts. AI & Agentic System Secu rityAssess the security of AI-integrated and agentic workflows, including prompt injection vulnerabilities, indirect prompt injection via tool outputs or retrieved data, and jailbreak ri sks.Evaluate tool-call trust boundaries and agent authorisation scope, identifying paths to privilege escalation or unintended action execution within agentic pipeli nes.Review MCP server configurations, orchestration layer access controls, and inter-agent communication patterns for authentication gaps and abuse pa ths.Assess model output handling in downstream systems, identifying injection risks where model-generated content is rendered, executed, or passed to other services without adequate sanitisat ion.Apply OWASP Top 10 for LLMs and emerging adversarial AI security guidance as a structured assessment framework, and contribute to its evolution based on findings in production syst ems.Work with engineering and product teams to establish security patterns and guardrails for AI/agentic system design that are proportionate and operable in a regulated environm ent. CI/CD & DevS ecOpsAssess existing CI/CD pipelines for security gaps and provide recommendations for process, tooling, and configuration improvem ents.Support the integration of automated security testing including SAST, SCA, secrets scanning, container image scanning, IaC policy enforcement, and DAST where applic able.Provide secure coding guidance and developer enablement resources to support a shift-left security culture within ES enginee ring.

Cloud Infrastructure Security (AWS)Review and remediate AWS security controls across identity and access management (IAM roles and policies, permission boundaries, cross-account access, SSO/federation), network security (VPC architecture, segmentation, egress controls, security groups, WAF/Shield), data protection (KMS, encryption, backup strategies), and workload security (containers, serverless, hardened images, patch manage ment).Identify cloud misconfigurations using AWS-native services and third-party tooling, and implement or guide corrective ac tions.Assess multi-tenant infrastructure configurations to validate that tenant isolation controls are correctly implemented and operationally maint ained. Risk Communication & Docume ntationProduce high-quality assessment reports containing clear findings, risk ratings, and actionable remediation steps, framed in terms of business impact and regulatory exposure (SOC 2, MiFID II, DORA) as appro security findings registers and track remediation status through to c losure.Contribute to security runbooks, architectural patterns, and team-facing guidance documen in post-incident reviews, penetration test remediation, and vulnerability management pro cesses. Mandatory Skills Desc ription:Technical E xpertise5+ years of experience in application security, cloud security, or a combined security and software engineering role, with demonstrated ability to assess and remediate security risks across the full technolog y stack.Hands-on experience identifying and addressing OWASP Top 10 vulnerabilities and common cloud misconfiguration risks in production systems.Practical experience assessing AI and agentic system security, including prompt injection, tool-call abuse, and orchestration layer vulnerabilities.

Familiarity with OWASP Top 10 f or LLMs.Experience assessing multi-tenant system security, including tenant isolation controls, context confusion vulnerabilities, and shared-resource leakage.Experience assessing secrets management posture across repositories, CI/CD pipelines, and cloud envir onments.Proficiency in at least one programming language (Python, Java, JavaScript/TypeScript, Go, or C#) sufficient to review, modify, and implement code changes.Working knowledge of AWS security services and core controls including IAM, KMS, VPC, Security Groups, CloudTrail, and Gu ardDuty.Solid understanding of CI/CD platforms (e.g. GitHub Actions, Azure DevOps) and pipeline security pri nciples.Familiarity with infrastructure-as-code tools such as Terraform, CloudFormation, or AWS CDK.Strong written and verbal communication skills, with the ability to clearly articulate risk, regulatory exposure, and remediation strategies to engineering teams and senior stake holders.Proven ability to work collaboratively within and alongside development teams in a fast-moving delivery envi ronment. Preferred Quali ficationsTechni cal DepthExperience with container security (Docker, Kubernetes/EKS) including image scanning, pod security standards, network policies, and RBAC.Familiarity with secrets management solutions such as AWS Secrets Manager and HashiCorp Vault, and experience assessing their configuration and usage experience with security testing and scanning tools including SAST (e.g.

Fortify, SonarQube), SCA (e.g. Mend, Dependabot), DAST (e.g. WebInspect, OWASP ZAP), and cloud security posture management tooling.Experience conducting threat modelling using STRIDE or similar methodologies, including for AI/agentic system co mponents.Knowledge of API gateway and service mesh security patterns including mTLS and fine-grained autho with secure SDLC frameworks and how to operationalise them within engineering delive ry teams.