Senior Application Security Engineer

Job Location:

New York, NY 10038 (100% Onsite)

Special Requirements:

• Candidates must submit a government-issued ID (Driver’s License or Passport).
  
• Candidates must provide three professional references (including names, official emails, and phone numbers).
  
• State experience is required.
  
  

Job Description:

The My City portal is a single platform designed to simplify interactions with City services. This initiative focuses on delivering secure, seamless, and user-friendly digital experiences. Several key projects are underway, including Childcare, Business Portal, and Workforce Development Services.

The NYC Cyber Command is seeking a Senior Application Security Engineer to enhance security across large, complex networked environments. The ideal candidate will provide security guidance, risk assessments, and technical leadership throughout the application development lifecycle.

This role requires close collaboration with NYC Cyber Command leadership, engineering teams, incident response teams, and application security practitioners to strengthen the City's cybersecurity posture.

Responsibilities:

• Conduct comprehensive cybersecurity risk analysis and prioritize security risks in applications.
  
• Develop and implement security strategies for web applications, microservices, APIs, and mobile applications.
  
• Track and manage remediation efforts against security vulnerabilities.
  
• Enforce “secure by design” principles in application development.
  
• Maintain architecture diagrams and create security design documents.
  
• Troubleshoot and resolve application security issues in coordination with internal teams and vendors.
  
• Translate compliance requirements into specific security controls.
  
• Perform vulnerability assessments, penetration testing, and secure code reviews.
  
• Integrate SAST/DAST tools into CI/CD pipelines for automated security checks.
  
• Monitor and respond to application-level security threats.
  
• Implement secure configurations for applications, databases, and APIs.
  
• Conduct threat simulations and recommend security improvements for API security, identity management, and access control.
  
• Collaborate with teams to ensure security is embedded within CI/CD pipelines.
  
  

Mandatory Skills/Experience:

• 12+ years in application security, conducting vulnerability assessments, penetration testing, and secure code reviews.
  
• Expertise in secure application development, implementing OWASP Top 10 security practices.
  
• Proficiency in Software Composition Analysis (SCA) tools (e.g., Veracode, AppSec).
  
• Hands-on experience with SAST/DAST tools (e.g., Veracode, AppSec, Burp Suite) and CI/CD security integration.
  
• Strong cloud security expertise with AWS, Azure, or GCP, including WAFs and cloud-native security services.
  
  

Desirable Skills/Experience:

• Advanced cloud security expertise (AWS, Azure, GCP) including IAM, encryption, monitoring tools, and Web Application Firewalls (WAF).
  
• Scripting and automation experience using Python, Bash, or PowerShell.
  
• Strong communication skills for explaining security concepts to both technical and non-technical teams.
  
• Leadership experience in mentoring security teams and fostering security awareness.
  
• Ability to collaborate cross-functionally with DevOps, IT, and development teams.
  
• Highly adaptable and willing to learn new security technologies.
  
• Strong analytical, problem-solving, and decision-making skills.
  
  

Additional Qualifications:

• Preferred certifications:
  • CISSP (Certified Information Systems Security Professional)
    
  • CEH (Certified Ethical Hacker)
    
  • CCSP (Certified Cloud Security Professional)
    
  • GWAPT (GIAC Web Application Penetration Tester)
    
• Knowledge of compliance frameworks such as NIST, PCI-DSS, and GDPR.
  
  

Skill Matrix: