Application Security Engineer (DevSecOps)

Application Security Engineer (DevSecOps)

100% remote Working - USA

Eastern Time Zone Working Hours

Contract-To-Hire

**Suitable candidates will need to be legally authorized to work in the USA - H1B Visa, Sponsorship etc are not being accepted for this role***

The Application Security Engineer (DevSecOps) is responsible for operationalizing application security scanning and findings management within Odyssey’s Azure DevOps CI/CD environment. This role focuses on integrating and tuning Snyk SAST and SCA scanning so that security results are credible, visible, and actionable for development teams.

The engineer will partner closely with the Azure domain administrator and development teams to design secure‑by‑default CI/CD patterns, establish a repeatable findings triage and management process, and define security metrics and dashboards. This role embeds security controls into the software delivery lifecycle rather than bolting them on after the fact.

Key Responsibilities

• Security Tooling Integration & Tuning
• Integrate, configure, and tune Snyk SAST and SCA scans within Azure DevOps CI/CD pipelines for multiple applications on a mixed‑language stack.
• Apply DevSecOps patterns (e.g., branch policies, build gates, reusable pipeline templates) to reduce noise and improve findings credibility.
• Work in close partnership with the Azure domain administrator to:
• Align Snyk integration with Azure DevOps standards, policies, and governance.
• Contribute to shared pipeline templates, service connections, and security guardrails for broader reuse.
• Troubleshoot and optimize Azure DevOps configurations (permissions, agent pools, environment protections) to support secure delivery.

Findings Triage & Management

• Triage and manage the existing backlog of Snyk SAST/SCA findings, ensuring issues are routed into normal engineering workstreams.

Interested in remote work opportunities in Cyber Security? Discover Cyber Security Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.

• Identify, validate, and document false positives; apply consistent severity‑based prioritization aligned with CI/CD risk thresholds and release gating rules.
• Develop and maintain a Findings Triage & Management Process including:
• MTTR definitions by severity.
• False‑positive handling procedures.
• Exception request and approval workflow with clear evidence and governance paths.
• Alignment with SDLC & DevSecOps Practices
• Align security scanning checkpoints to standardized SDLC stages, ensuring controls are embedded in delivery and consistent with enterprise DevSecOps practices.
• Act as a DevSecOps partner to development teams (e.g., Phoenix, Pricing Platform, Livestock), building familiarity and comfort with findings intake and remediation workflows.
• Integrate remediation work into Azure Boards or equivalent work tracking systems.

Training, Enablement & Metrics

• Co‑develop and co‑deliver developer enablement on the Snyk scanning workflow, remediation expectations, and DevSecOps ways of working (security in pull requests, pipeline feedback loops, security‑as‑code patterns).
• Define baseline security metrics and provide inputs to shared dashboards, including:
• Scan coverage.
• Findings aging.
• MTTR by severity.
• Exception volumes.
• Ensure reporting supports security governance, risk visibility, and audit‑ready evidence.

Required Qualifications

• Hands‑on DevSecOps experience, including practical implementation of security controls within CI/CD pipelines.

Browse our curated collection of remote jobs across all categories and industries, featuring positions from top companies worldwide.

• Strong experience with SAST and SCA tooling (preferably Snyk), including deployment, configuration, and findings triage.
• Direct experience integrating and tuning security scanning in Azure DevOps CI/CD, including:
• Pipeline templates.
• Build/release gates.
• Branch policies.
• Service connections.
• Demonstrated ability to partner with an Azure domain administrator or platform engineering team to co‑design secure, scalable Azure DevOps patterns (templates, guardrails, governance).
• Ability to triage findings across a mixed‑language codebase, not limited to a single technology stack.

Strong communication skills, able to:

• Explain findings and remediation clearly to non‑security development teams.
• Align responsibilities across Security, Platform, and Development in a DevSecOps model.
• Proven ability to operate independently with minimal direction in a fast‑moving environment.
• Experience creating practical, usable process documentation designed for handoff and ongoing use by development and platform teams.

Preferred Experience

• Experience in financial services, insurance, or other regulated industries with exposure to security, compliance, and audit requirements.
• Familiarity with secure SDLC practices and collaboration with SDLC process/governance teams.
• Prior involvement in DevSecOps transformations, security program rollouts, or CI/CD security automation initiatives.
• Knowledge of broader cloud security concepts (e.g., Azure security controls, least‑privilege access, environment hardening).