<< Back to Careers

Application Security Engineer

WinMill Software is actively seeking a full-time Application Security Engineer. The candidate will perform application security assessments using leading market tools, and be able to read, vet and triage results. The ideal candidate will have a background in application development and can work with developers to remediate vulnerabilities. The candidate must understand Secure DevOps and be able to design and build ALM architectures that support static scanning, dynamic scanning, risk correlation and remediation management. The candidate must be an enthusiastic problem solver with excellent communication skills, must be able to work independently and directly with clients, and must be committed to establishing and teaching best practices for Application Security and Secure DevOps.


NYC Metro Area. May include working from WinMill's midtown office, from home and on client sites. Some travel may be required depending on the project, 5-10% at most.

Job Responsibilities 

  • Design and build secure development operations (Secure DevOps) architectures for clients as part of a continuous integration process. 
  •  Perform static and dynamic application vulnerability assessments using multiple tools. 
  •  Evaluation scan results, parse out false positives, correlate results from multiple tools, triage results and provide recommendations for remediation. 
  •  Perform actual code remediation in one more of the following. 
  •  Train clients on Secure DevOps best practices, as well as how to use various tools. 
  •  Help to build out Secure DevOps architectures in WinMill sandboxes; train WinMill staff on best practices.    
Required Skills 
  • Bachelor's degree in computer information systems, or equivalent. 
  • At least three (3) years' experience in software development using one or more of the following: javascript, node.js, java, C, C#, .NET, PHP, Python, Ruby. 
  • Ability to identify vulnerabilities in applications written in these languages. 
  • Knowledge and ability to assess web and non-web applications. 
  • Knowledge of secure coding methodologies including OWASP Secure SDLC, MS-SDLC. 
  • At least two (2) years' experience with dynamic security testing tools such as Acunetix, BurpSuite, HP Webinspect, Veracode and ZAProxy. 
  • At least two (2) years' experience with static testing tools such as CheckMarx, HP Fortify Static Code Analyzer and Veracode. Knowledge of CI/CD tools such as Artifactory, git, Chef, CircleCI, Consul, Jenkins, Microsoft TFS. 
  • Knowledge of secure methodologies and programming concepts including cryptography, authentication models and standards, secure libraries, and methods to evaluate their applicability to business and development problems.
  • Preferred: knowledge of AWS environments and development within them, including CloudFormation. 
  • Experience, knowledge and presence to teach and train developers on secure coding and development techniques. 
  • Proficiency in written and spoken English. 
  • Ability to present findings and summaries of issues to senior management.
  • Proactive and self-motivated, including willingness to reach out to development teams and stakeholders to discuss issues and identify areas needing assistance.   
  • Authorized to work in the US for any employer.