Application Security Engineer III

Job Title: Cybersecurity Engineer

Location: US – Fully Remote (EST Time Zone)

Pay: Based on experience

Contract: 6 month contract, chance of extension

Position Overview

Spotify is seeking an experienced Application Security Engineer III to join our distributed product security engineering team. In this role, you will support development teams with application security expertise, elevate software security practices, and drive initiatives to strengthen the security posture of our platform serving 400+ million users. This position requires a hands-on security professional with strong technical knowledge, threat modeling experience, and the ability to communicate effectively across diverse audiences.

Key Responsibilities

• Provide guidance and consultation on application security best practices across software disciplines.
• Lead and evangelize security initiatives, including Threat Modeling, code review, and secure design practices.
• Develop, codify, and deliver security guidance tailored to Spotify’s applications and engineering ecosystem.
• Drive adoption and fine-tuning of security tools, including SAST, based on user feedback and organizational needs.
• Integrate security tooling into development pipelines and automate security workflows where possible.

Interested in remote work opportunities in Cyber Security? Discover Cyber Security Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.

• Collaborate with cross-functional teams to improve the security of applications across web, API, mobile, and emerging technologies.
• Communicate complex security concepts clearly to technical and non-technical stakeholders.

Required Qualifications

• 5+ years of hands-on experience in application security.
• Strong knowledge of OWASP Top 10 frameworks for Web and API; experience with Mobile and LLM security is a plus.
• Demonstrated experience with Threat Modeling, including building and leading Threat Modeling practices.
• Proficiency in analyzing SAST findings and tuning SAST tools to reduce false positives.
• Experience with programming languages including Java, Python, Scala, C++, and TypeScript.
• Ability to write QL queries for CodeQL is preferred.
• Strong ability to communicate and teach security concepts to a variety of audiences.

Preferred Qualifications

• Proven experience driving adoption of security tools and programmatic security initiatives across an organization.
• Experience establishing security practices aligned with modern frameworks and industry standards.
• Ability to lead cross-disciplinary initiatives to improve overall engineering security posture.
• Experience securing platforms and applications in high-scale, rapidly changing environments.

Skills & Competencies

• Application Security Guidance
• Threat Modeling & Risk Assessment
• SAST Tool Implementation & Tuning
• Security Automation & Integration
• Programming & Scripting for Security
• Security Evangelism & Training
• Cross-Functional Collaboration