Security Engineer – SAST & SCA (Application Security)
Quick Overview
Job Description
Job Title: Security Engineer – SAST & SCA (Application Security)
Location: San Jose, CA (5 days Onsite)
Role summary
We are looking for a Security Engineer specializing in SAST and SCA to strengthen our Application Security (AppSec) program. This role will focus on identifying, prioritizing, and driving remediation of code-level and open-source vulnerabilities across the software development lifecycle (SDLC). The ideal candidate has a strong understanding of secure coding practices, vulnerability management, and developer workflows, with the ability to scale security testing through automation and process integration.
Key Responsibilities
SAST (Static Application Security Testing)
• Operate and manage SAST tools (e.g., Checkmarx, Fortify, Veracode, CodeQL)
• Analyze scan results to:
- Identify true positives vs false positives
- Prioritize based on exploitability and business impact
• Partner with development teams to:
- Remediate vulnerabilities
- Improve secure coding practices
• Tune rules and policies to reduce noise and increase scan accuracy
SCA (Software Composition Analysis)
• Manage and optimize SCA tools (e.g., Sonatype, Snyk, Black Duck, WhiteSource/Mend, Dependabot)
• Identify and track:
- Vulnerabilities in third-party and open-source components
- License and compliance risks
• Drive:
- Dependency upgrades and patching strategies
- Risk-based prioritization for remediation
• Maintain visibility into software bill of materials (SBOM)
SDLC Integration & Automation
• Integrate SAST/SCA into:
- CI/CD pipelines (GitHub, GitLab, Azure DevOps, Jenkins)
- Developer workflows (PR checks, pre-commit hooks)
• Automate:
- Scan execution and reporting
- Ticket creation and tracking (Jira or similar)
• Ensure shift-left security adoption across engineering teams
Vulnerability Management & Reporting
• Track vulnerability lifecycle:
- Identification → Triage → Remediation → Closure
• Provide:
- Metrics and dashboards (e.g., SLA compliance, risk trends)
- Executive-ready summaries for leadership
• Support:
- Audit and compliance requirements (ISO, SOC2, etc.)
Developer Enablement
• Act as a trusted advisor to engineering teams
• Provide:
- Remediation guidance and secure coding recommendations
- Documentation, FAQs, and best practices
• Conduct:
- Developer training and awareness sessions
Required Qualifications
Experience
• 3–6+ years in Application Security, DevSecOps, or Secure Development
• Hands-on experience with:
o SAST and/or SCA tools in enterprise environments
• Experience working closely with development teams and CI/CD pipelines
Technical Skills
• Strong knowledge of:
- OWASP Top 10
- Secure coding practices (Java, Python, C/C++, JavaScript, etc.)
• Experience with SAST tools such as:
- Checkmarx, Fortify, Veracode, CodeQL
• Experience with SCA tools such as:
- Snyk, Black Duck, Mend, Dependabot
DevSecOps & Automation
• Familiarity with:
- CI/CD tools (GitHub Actions, Jenkins, GitLab CI, Azure DevOps)
• Experience with:
- Scripting (Python, Bash, PowerShell)
• Ability to:
- Automate workflows and integrate security into pipelines
Vulnerability Management
• Understanding of:
- CVSS scoring and risk prioritization
- Vulnerability tracking and remediation processes
• Experience with:
- Jira or similar ticketing systems
Preferred Qualifications
• Certifications:
CSSLP, GWAPT, OSCP (optional but valuable)
• Experience with:
- SBOM frameworks (CycloneDX, SPDX)
- Container security and dependency scanning
- Cloud-native application security
• Familiarity with:
- Secrets scanning, IaC scanning tools (e.g., Terraform security)
Key Competencies
- Strong analytical skills and attention to detail
- Ability to separate signal from noise in scan results
- E ective communication with both technical and non-technical stakeholders
- Focus on scalable, developer-friendly security solutions
Skills
Similar jobs
Vendor Security Management Specialist
StratEdge It consulting INC · Austin, United States
56 minutes agoJourneyman Cyber Security Engineer (Splunk/TS) - USSOCOM EDAT Zero Trust
Kentro · Tampa, United States
1 hour agoJourneyman Cyber Security Engineer (Splunk/SIPR) - USSOCOM EDAT Zero Trust
Kentro · Tampa, United States
2 hours agoProduct Security Analyst (Mid-Senior) with Security Clearance
Boeing · Seattle, United States
2 hours ago$148.8k - $201.3k/yrSenior Splunk Cyber Security Engineer
MANTECH · Chantilly, United States
3 hours agoSAP Security Analyst
SAIC · Arlington, United States
3 hours ago$120.0k - $160k/yr