Application Security Engineer

Polymarket Polymarket · Fintech · New York, NY · IT

Application Security Engineer to embed security throughout the software development lifecycle, identify and fix vulnerabilities, own tooling and processes for secure development, and lead security assessments of the externally-facing platform. Focus on raising the security bar without becoming a bottleneck.

What you'd actually do

  1. Own the application security program across the SDLC — from design review through deployment — ensuring security is addressed early and consistently
  2. Conduct threat modeling on new features and architectural changes; perform security design reviews and code reviews on high-risk changes with specific, actionable findings
  3. Own the SAST, DAST, and SCA toolchain — selection, deployment, tuning, and CI/CD integration so findings surface at commit time, not post-deployment
  4. Triage and prioritize automated scanner output, delivering a risk-ranked backlog rather than raw tool output to engineering teams
  5. Conduct manual penetration testing and security assessments of web applications, APIs, and internal services — with particular focus on authentication, authorization, and financial transaction flows

Skills

Required

  • Application security
  • Penetration testing
  • Secure code review
  • Threat modeling
  • SAST
  • DAST
  • SCA
  • OWASP Top 10
  • Web application security
  • API security
  • Python
  • Go
  • TypeScript
  • REST
  • GraphQL
  • Authentication
  • Authorization
  • OAuth 2.0
  • JWT
  • RBAC
  • Communication

Nice to have

  • Bug bounty platform operation
  • Smart contract security
  • Blockchain
  • Web3
  • Financial transaction systems
  • OSCP
  • GWAPT
  • GWEB
  • AWS security services
  • WAF
  • API Gateway
  • Cognito
  • Shield
  • Security champions program

What the JD emphasized

  • 3+ years of hands-on application security experience
  • Strong proficiency identifying and exploiting OWASP Top 10 vulnerabilities
  • Experience deploying and operating SAST, DAST, and SCA tooling
  • Ability to read and write code in at least one common backend language
  • Experience conducting or managing penetration tests against web applications and REST/GraphQL APIs
  • Solid understanding of authentication and authorization patterns
  • Clear written communication