The Application Security Specialist exists to embed application security expertise across Europe’s products and services, supporting the Secure Development Practice and enabling a consistent ‘shift-left’ approach. The role is accountable for advancing application security capability, leading security reviews on higher-risk systems, and ensuring secure development practices are adopted across engineering teams. The post holder will act as a technical authority on application security, helping reduce vulnerability risk and improve security outcomes across both internal IT systems and customer-facing solutions.
Application security capability development (CoE contribution)
- Contribute to establishing and operating a pan-European application security capability within the Secure Development CoE.
- Build and maintain a network of application security practitioners across development teams.
- Develop an understanding of current application security maturity, tooling and practices across Europe.
- Define and promote consistent application security methodologies, patterns and practices.
- Contribute to CoE forums, standards discussions and knowledge sharing across teams.
Application security reviews and assurance
- Lead application security reviews for high-risk products and services.
- Coordinate with Product Security Development Specialists to define scope, coverage and prioritisation.
- Conduct and oversee:
- static application security testing (SAST)
- dynamic testing (DAST)
- fuzz testing where appropriate
- API and interface security reviews
- architecture and design-level assessments
- assessment against OWASP Top 10 and other relevant standards
- Interpret findings and translate them into actionable remediation plans.
Secure development standards and guidance
- Support the development and maintenance of secure coding standards across key languages such as C, C++, Java and other relevant stacks.
- Contribute to application security policies and supporting technical documentation.
- Provide practical guidance to developers on secure coding and remediation approaches.
- Align standards with recognised frameworks such as OWASP and relevant secure development frameworks.
Developer enablement and training
- Deliver and coordinate application security training for development teams.
- Introduce internal or external specialised training content.
- Support secure coding awareness, hands‑on workshops and threat-focused learning.
- Act as a point of contact for development teams needing security guidance.
Security culture and shift-left adoption
- Promote a security‑first mindset within engineering and product teams.
- Embed security considerations into design, development and deployment processes.
- Support early‑stage security engagement in development lifecycles.
- Champion pragmatic and developer‑friendly security practices.
Threat and vulnerability management (product focus)
- Support the threat and vulnerability management process across product and service lines.
- Assist in triaging, prioritising and managing application‑level vulnerabilities.
- Provide technical input into remediation planning and risk decisions.
- Identify recurring issues and systemic weaknesses in development practices.
CI/CD security integration and tooling
- Design and support secure CI/CD pipeline patterns.
- Identify, evaluate and help implement appropriate security tooling across development pipelines.
- Integrate SAST, DAST, SCA and other application security tools into build and release processes.
- Support automation of security controls and checks within development workflows.
- Contribute to the development of secure practices for AI‑enabled applications.
- Support emerging controls and patterns related to AI model security, data handling and misuse risks.
- Assist teams in embedding security into AI and data‑driven development processes.
- Monitor application security trends, vulnerabilities and emerging threats.
- Recommend improvements to processes, tooling and developer practices.
- Contribute to maturity improvement of the Secure Development Practice.
Task level
- Conducting application security scans and manual reviews
- Supporting remediation of vulnerabilities
- Producing technical findings and guidance
- Delivering training and guidance sessions
Process and policy level
- Designing and embedding application security processes in SDLC
- Developing secure coding standards and review frameworks
- Implementing security controls into CI/CD pipelines
Theoretical and cross‑disciplinary level
- Applying secure development frameworks such as SSDF
- Understanding application, infrastructure and data security interactions
- Translating security theory into practical secure development practices
- Operating across software engineering, cyber security and risk domains
Technical Skills required
- Strong knowledge of application security principles and practices
- Experience with SAST, DAST and software composition analysis tools
- Knowledge of secure coding practices across languages such as Java, C, C++
- Experience with CI/CD pipelines and DevSecOps integration
- Threat modelling techniques and tools
- Understanding of OWASP Top 10 and common vulnerability classes
- Experience with API security and web application security
- Understanding of fuzz testing and advanced testing techniques
- Familiarity with secure AI development considerations
- Knowledge of secure development frameworks such as SSDF
- Understanding of vulnerability management processes
#J-18808-Ljbffr…
