Application Security Engineer  Tysons Corner, VA  Full-time in person from Strategy Office - 5 days per week   Job Description  Join Strategy’s IT Security group as an Application Security Engineer and play a crucial role in safeguarding Strategy’s software applications while using modern security and AI tooling. In this position, you will be responsible for integrating security practices throughout the software development lifecycle, ensuring that our software products are resilient against vulnerabilities.  AI Security Governance: Evaluate and establish guardrails for the secure use of AI coding assistants (e.g., Copilot, Cursor, Claude) within the engineering organization, including policy development around AI-generated code review, training data exposure risks, and prompt injection vulnerabilities in AI-integrated applications.Secure SDLC Integration: Work closely with development teams to integrate security into the SDLC, including threat modeling, secure code reviews, and security testing.Vulnerability Management: Identify, triage, and remediate security vulnerabilities through static and dynamic application security testing (SAST/DAST) and software composition analysis (SCA) tools.Security Assessments & Penetration Testing: Conduct manual and automated penetration testing of web, mobile, and cloud applications to detect security flaws.Secure Code Review: Analyze source code using both manual review and AI-assisted code analysis tools (e.g., GitHub Copilot Autofix, Semgrep, or similar) to surface vulnerabilities earlier in the development cycle and deliver actionable, in-context remediation guidance to developers.Threat Modeling & Risk Analysis: Perform threat modeling to anticipate potential attack vectors and improve security architecture.DevSecOps Enablement: Support and enhance DevSecOps initiatives by integrating AI-assisted security automation within CI/CD pipelines, including AI-powered SAST/DAST tools and LLM-based code scanning to accelerate vulnerability detection at the point of commit.Incident Response & Remediation: Assist in investigating security incidents related to applications and work with engineering teams to remediate threats.Security Awareness & Training: Educate and mentor developers on OWASP Top 10, SANS 25, and other security best practices
