Application Security Engineer II

Job Description:

Application Security Engineer II

(Remote Candidates will be considered)

Our Story and Our Purpose

National Digital Trust Company (In Organization) has received conditional approval from the Office of the Comptroller of the Currency to open as a federally chartered trust bank to provide a broad range of digital asset services.

We are building a specialized financial institution addressing the growing demand for digital asset services. Our primary business will focus on digital asset custody, providing secure, efficient custodial and fiduciary services for a variety of digital assets.

You will work with foundational systems and processes to help shape our operating model and influence how a new category of financial infrastructure comes to market.

We are looking for builders who handle complexity with confidence and tackle ambitious opportunities while keeping pace with this rapidly evolving industry.

Our Principles

Greatness is a mindset, not an accomplishment. Mediocrity is unacceptable. Excellence is contagious. We hire people because we believe in their greatness. Now is the time to prove us right.

Responsibility comes with the territory. Everyone is an owner, which means we share a common vision and mutual accountability. We act in line with our strategic objectives and the trust our customers place in us. We believe there is no such thing as "not my problem." Taking this level of ownership not only drives our collective success but also offers the potential for significant reward.

Innovation and adaptation are in our DNA. We are in a period of the most dramatic and rapid period of technological change in the history of humankind. Those that stay ahead will thrive, those that don't, won't. We innovate intelligently and thrive on overcoming challenges, to get (at least) a little better every day and ensure our continued growth and success.

Team first. We are reliable teammates working together toward extraordinary success through honesty and accountability. We believe collaboration knows no hierarchy, and we focus on what matters. We work toward consensus, but when necessary, we disagree and commit. We know that winners win.

About the Role

Application Security (AppSec) Engineers are responsible for designing, implementing, and managing security practices that protect NDTC’s applications and services.

As an Application Security Engineer II, you will work closely with software engineers to perform secure code reviews, conduct automated and manual testing, and integrate security throughout the software development lifecycle (SDLC). You will support and approve engineering projects from a security perspective, ensuring applications meet both internal standards and industry best practices.

This is a critical role in safeguarding systems used by our customers. Success requires strong technical depth, critical thinking, adaptability, and a passion for application security in a fast-evolving environment.

Key Responsibilities

Application Security Assessments

• Perform automated and manual vulnerability assessments for APIs and web applications
• Conduct static (SAST), dynamic (DAST), software composition analysis (SCA), and interactive (IAST) testing
• Review findings for exploitability and provide actionable remediation guidance
• Perform manual testing to validate vulnerabilities and ensure secure implementations

Secure Development & Engineering Support

• Partner with developers to embed security into the SDLC
• Participate in and help manage the secure code review approval process
• Perform product threat modeling and develop threat-focused validation checks
• Ensure new projects are designed, scoped, and deployed securely

Security Tools & Operations

• Implement, manage, and optimize application security tools across the organization
• Support the operational management of AppSec programs and workflows
• Manage cloud security for both internally developed and third-party applications
• Contribute to internal security documentation, playbooks, and best practices

Offensive Security & Testing

• Support Red Team exercises and external penetration testing engagements
• Assist in triaging and responding to bug bounty submissions
• Perform validation testing to ensure applications meet internal and industry security standards

Incident Response & Monitoring

• Investigate security incidents through research and log analysis
• Contribute to incident response processes, documentation, and continuous improvement

Automation & Tool Development

• Build or enhance internal tooling to automate security testing, compliance checks, and evidence collection
• Write scripts and utilities to improve efficiency and scalability
• Evaluate and experiment with new tools to improve application security outcomes

Collaboration & Culture

• Serve as a security subject matter expert for engineering and business teams
• Promote a strong, approachable security culture across the organization
• Operate flexibly across multiple responsibilities in a fast-growing environment

Required Qualifications

• 3–5+ years of experience in Information Technology, including security tooling
• 3–5+ years of experience as an Application Security Engineer
• 1–3+ years of experience in regulated environments (e.g., financial services, fintech)
• Strong understanding of web application security principles and architecture
• Experience with container technologies and container security
• Proficiency in at least one programming language, with willingness to learn additional languages (e.g., Rust, TypeScript)
• Experience with CI/CD pipelines and source control tools (Git, GitHub)
• Experience evaluating Infrastructure-as-Code (IaC) security across cloud environments
• Familiarity with bug bounty programs (participation or triage)
• Understanding of OWASP Top 10 and application security best practices across web, DevOps, and emerging AI systems
• Strong problem-solving, analytical thinking, and ability to adapt quickly

Preferred Experience, Skills & Knowledge

Security & Compliance

• Experience implementing security controls within DevOps / DevSecOps environments
• Knowledge of application security risks and mitigation strategies
• Familiarity with frameworks and standards such as:
• NIST 800-53 / CSF 2.0
• NIST SSDF (800-218)
• SOC 2, PCI-DSS, PA-DSS
• Understanding of Content Security Policy (CSP)
• Ability to identify and explain vulnerabilities such as:
• XSS, CSRF, injection attacks
• MITM attacks
• Brute-force and credential attacks
• Interest in financial services, digital assets, and custodial security

AI & Emerging Technologies

• Experience working with AI tools and understanding of security considerations for generative AI
• Familiarity with AI-assisted development workflows, agent-based systems, or MCP-based tools
• Willingness to learn and adapt to AI-driven SDLC environments

What Sets You Apart

• Curiosity and a continuous improvement mindset
• Ability to balance security rigor with engineering velocity
• Strong communication skills and ability to influence across teams
• Passion for building scalable, practical security solutions

We promote diversity of thought, culture, background, and experience. We are an equal opportunity employer, and employment at our company is based solely on one's merit and qualifications directly related to professional competence. We do not discriminate based on race, creed, color, ancestry, religion, gender, sexual orientation, gender identity, national origin, age, disability, genetic information, military or veteran status, or any other characteristics protected by law.

Featured benefits

• Employer-provided: Medical, Dental, and Vision insurance, 401(k), life and disability insurance.