Job Description
We are seeking an Application Security Engineer to build and develop our application security capability. The core mandate is security: defining how the organization designs, builds, and ships software securely — spanning secure SDLC, DevSecOps, security architecture and design, application security testing, and developer enablement. The engineer drives security into the development lifecycle and CI/CD pipelines and fundamentally reduces security risk in software.
Key Responsibilities
- Security by Design: Threat modeling, secure design review, security requirements; collaborate with architects to embed security into application design.
- Security Architecture & Solutions: Recommend and implement security controls appropriate to each application's risk profile — e.g., WAF, API security, mobile app hardening (RASP / anti-tampering).
- Application Security Testing: Operate SAST/DAST/SCA/SBOM tooling; triage findings, eliminate false positives, validate exploitability, and prioritize remediation by real risk.
- Secure SDLC & DevSecOps Integration: Embed security gates and automated checks into CI/CD pipelines.
- AppSec Maturity (OWASP SAMM): Run SAMM assessments, define the maturity roadmap, and measure improvement over time.
- Developer Enablement: Secure coding training và Security Champions program.
Job Requirements
We are looking for a highly motivated person with:
- 2-3+ years of experience with Application Security Engineering or related Security roles.
- Solid foundation in application security: OWASP Top 10 and beyond — common vulnerability classes, ability to read code and understand why a finding is (or isn't) exploitable.
- Hands-on secure SDLC & secure design: threat modeling, secure design review, security requirements.
- Strong understanding of SAST, DAST, SCA and SBOM tooling — interpreting results, triaging false positives, prioritizing by risk.
- Ability to select the right tool for the right context (judgment, not tool-operation).
- Working knowledge of CI/CD and automation as the delivery medium (Python/Bash).
- Excellent collaboration and communication skills, with the ability to work closely with developers, architects, and operations teams.
- A proactive attitude & the ability to think outside of the box
- Works in an organised, structured manner
- Can do attitude, gets things done
- Excellent communication skills with diverse audiences
- Strong critical thinking and analytical skills
Nice-to-have:
- Practical OWASP SAMM (or BSIMM) implementation experience.
- Security architecture experience: WAF, API security, mobile app shielding/RASP.
- Awareness of secure-by-design frameworks/regulations: NIST SSDF, EU Cyber Resilience Act.
- A relevant AppSec/offensive cert (OSWE, eWPTX, GWAPT, Burp Suite Certified, CSSLP) — tín hiệu lọc nền tảng security.
- IaC security (Terraform/K8s/Helm), cloud security, English.
Benefit
- Annual bonus: 2 - 3 months under minimum KPI requirement
- Fast promotion opportunities based on personal ability
- Work in a dynamic, open, creative environment
- Regular training, company team building, birthday bonus
About Concung.com
- Working time: 8:30 - 17:30 Monday - Friday
- Working place: 6th Floor, 9 Nguyen Trai Street, Pham Ngu Lao Ward, District 1, Ho Chi Minh City