Application Security Engineer at Investec
Investec
Description
The Application Security Engineer is responsible for improving and embedding security throughout the software development lifecycle across Investec's engineering environments. The role focuses on secure software development practices, application security tooling, DevSecOps integration, and engineering enablement to reduce security risk while supporting modern software delivery.
The role works closely with software engineering teams, platform teams, and security stakeholders to implement scalable application security controls, improve developer security practices, and enhance visibility into software supply chain and application risk.
Key Responsibilities
Application Security Engineering
Partner with engineering teams to embed security into software design, development, testing, and deployment processes.
Provide practical security guidance and support across modern application architectures and development frameworks.
Assist teams in identifying and remediating application security vulnerabilities and weaknesses.
Promote secure-by-default engineering practices across the software development lifecycle.
Secure Development and Code Review
Support secure coding practices across primarily .NET and TypeScript environments, with exposure to Python and Java ecosystems.
Review application architectures, code patterns, and integrations for security risks and weaknesses.
Assist development teams with remediation guidance and secure implementation approaches.
Develop and maintain secure coding standards, patterns, and reusable guidance.
Application Security Tooling and DevSecOps
Implement, maintain, and optimise application security tooling across CI/CD pipelines and engineering workflows.
Manage and support tooling including:
Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
Secrets detection and scanning
Software supply chain security controls
Support integration of security tooling into build and deployment processes to enable automated security validation.
Work closely with platform and engineering teams to improve developer experience and reduce friction in security adoption.
Software Supply Chain and Vulnerability Management
Assist with management and interpretation of software security findings including vulnerabilities, dependency risks, and exposure trends.
Maintain familiarity with industry standards and terminology including:
CWE (Common Weakness Enumeration)
CVE (Common Vulnerabilities and Exposures)
SBOM (Software Bill of Materials)
Support prioritisation and remediation of application and dependency vulnerabilities.
Contribute to improving software supply chain visibility and governance.
Infrastructure as Code (IaC) and Cloud-Native Security
Support secure Infrastructure-as-Code practices with a strong focus on Bicep and cloud-native deployment models.
Review and improve security controls within application deployment templates and infrastructure definitions.
Collaborate with cloud and platform engineering teams to improve secure deployment standards and patterns.
Promote DevSecOps practices across application and infrastructure delivery pipelines.
Security Enablement and Collaboration
Work closely with developers, architects, and platform teams to improve security maturity across engineering environments.
Assist with application security awareness, guidance, and developer enablement initiatives.
Contribute to security standards, engineering patterns, and operational processes.
Support investigation and response activities related to application security findings and incidents.
Qualifications, Experience and Skills
Bachelor's degree in Computer Science, Information Technology, Engineering, or related discipline (or equivalent practical experience)
Relevant Certifications (desirable)
CSSLP, GWAPT, GWEB, OSWE, or equivalent application security certifications
Microsoft Azure certifications advantageous
Secure software development or DevSecOps related certifications beneficial
Technical Skills and Experience
Strong understanding of modern application security principles and secure software development practices.
Hands-on experience with .NET and TypeScript application ecosystems.
Working knowledge of Python and Java environments advantageous.
Familiarity with scripting and automation using PowerShell, Bash, or similar technologies.
Experience implementing and managing application security tooling including SAST and SCA solutions.
Strong understanding of software supply chain security concepts including SBOMs, dependency management, and vulnerability management.
Familiarity with common application security weaknesses and frameworks including OWASP Top 10 and CWE classifications.
Experience with CI/CD concepts and DevSecOps integration patterns.
Strong Infrastructure-as-Code knowledge with experience in Bicep desirable.
Behavioural Attributes
Pragmatic and engineering-focused mindset
Strong analytical and problem-solving capability
Collaborative and developer-friendly approach
Ability to communicate complex technical concepts clearly
Self-driven with strong ownership and continuous improvement mindset