Haystack
← Back to Jobs
Technology

Security Engineer – SAST & SCA (Application Security)

UniqueHire Consulting LLCCalifornia City, CA🇺🇸United StatesPosted 9 Jul 2026

Quick Overview

Work Type
On Site
Level
Mid Senior

Job Description

Job Title: Security Engineer – SAST & SCA (Application Security)

Location: San Jose, CA (5 days Onsite)

 

Role summary

We are looking for a Security Engineer specializing in SAST and SCA to strengthen our Application Security (AppSec) program. This role will focus on identifying, prioritizing, and driving remediation of code-level and open-source vulnerabilities across the software development lifecycle (SDLC). The ideal candidate has a strong understanding of secure coding practices, vulnerability management, and developer workflows, with the ability to scale security testing through automation and process integration.

Key Responsibilities

SAST (Static Application Security Testing)

• Operate and manage SAST tools (e.g., Checkmarx, Fortify, Veracode, CodeQL)

 

• Analyze scan results to: 

  • Identify true positives vs false positives
  • Prioritize based on exploitability and business impact

 

 Partner with development teams to: 

  • Remediate vulnerabilities
  • Improve secure coding practices

 

• Tune rules and policies to reduce noise and increase scan accuracy

SCA (Software Composition Analysis)

• Manage and optimize SCA tools (e.g., Sonatype, Snyk, Black Duck, WhiteSource/Mend, Dependabot)

 

• Identify and track: 

  • Vulnerabilities in third-party and open-source components
  • License and compliance risks

 

 Drive: 

  • Dependency upgrades and patching strategies
  • Risk-based prioritization for remediation

 

• Maintain visibility into software bill of materials (SBOM)

 

SDLC Integration & Automation

 Integrate SAST/SCA into: 

  • CI/CD pipelines (GitHub, GitLab, Azure DevOps, Jenkins)
  • Developer workflows (PR checks, pre-commit hooks)

 

• Automate: 

  • Scan execution and reporting
  • Ticket creation and tracking (Jira or similar)

 

• Ensure shift-left security adoption across engineering teams

 

Vulnerability Management & Reporting

• Track vulnerability lifecycle: 

  • Identification → Triage → Remediation → Closure

 

 Provide

  • Metrics and dashboards (e.g., SLA compliance, risk trends)
  • Executive-ready summaries for leadership

 

• Support: 

  • Audit and compliance requirements (ISO, SOC2, etc.)

 

Developer Enablement

• Act as a trusted advisor to engineering teams

 

• Provide: 

  • Remediation guidance and secure coding recommendations
  • Documentation, FAQs, and best practices

 

 Conduct: 

  • Developer training and awareness sessions

 

Required Qualifications

Experience

• 3–6+ years in Application Security, DevSecOps, or Secure Development

• Hands-on experience with: 

o SAST and/or SCA tools in enterprise environments

• Experience working closely with development teams and CI/CD pipelines

 

Technical Skills

 Strong knowledge of: 

  • OWASP Top 10
  • Secure coding practices (Java, Python, C/C++, JavaScript, etc.)

 

 Experience with SAST tools such as: 

  • Checkmarx, Fortify, Veracode, CodeQL

 

 Experience with SCA tools such as: 

  • Snyk, Black Duck, Mend, Dependabot

 

DevSecOps & Automation

• Familiarity with: 

  • CI/CD tools (GitHub Actions, Jenkins, GitLab CI, Azure DevOps)

 

 Experience with: 

  • Scripting (Python, Bash, PowerShell)

 

 Ability to: 

  • Automate workflows and integrate security into pipelines

 

Vulnerability Management

• Understanding of: 

  • CVSS scoring and risk prioritization
  • Vulnerability tracking and remediation processes

 

• Experience with: 

  • Jira or similar ticketing systems

 

Preferred Qualifications

• Certifications: 

CSSLP, GWAPT, OSCP (optional but valuable)

 

• Experience with: 

  • SBOM frameworks (CycloneDX, SPDX)
  • Container security and dependency scanning
  • Cloud-native application security

 

• Familiarity with: 

  • Secrets scanning, IaC scanning tools (e.g., Terraform security)

 

Key Competencies

  • Strong analytical skills and attention to detail
  • Ability to separate signal from noise in scan results
  • E ective communication with both technical and non-technical stakeholders
  • Focus on scalable, developer-friendly security solutions

Skills

OWASP
Azure
Bash
C++
GitHub Actions
GitLab CI
Java
JavaScript
Jenkins
Jira
PowerShell
Python
Terraform

Similar jobs