Application Security Engineer

Introduction

Hearst Technologys Cybersecurity Organization is seeking a professional to be an integral component of the application security program end-to-end from discovery and inventory of business unit applications, through tooling implementation, through embedding security and AI-assisted controls into business unit DevOps pipelines. This role requires both technical expertise and the ability to build strong relationships with Hearst subsidiaries.

Required Skills & Qualifications

• 7 years in application security, product security, or security engineering, with at least 3 years in environments with multiple independent business units, brands, or product lines.
• Hands-on experience deploying and operating modern AppSec tooling (e.g., Semgrep, Snyk, Checkmarx, Veracode, Apiiro, Ox Security, GitHub Advanced Security).
• Working code-level proficiency in at least three commonly-used languages (e.g., Python, JavaScript/TypeScript, Java, C#, Go) sufficient to read, review, and triage findings.
• Strong scripting and automation skills in Python or equivalent; comfortable building integrations against REST APIs and operating in CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).
• Demonstrated ability to influence engineering organizations without direct authority negotiating standards, driving adoption, and partnering with development leaders.
• Practical understanding of OWASP Top 10, threat modeling methodologies (STRIDE, PASTA, or equivalent), and modern attack patterns including supply chain risks.
• Prior work experience at client or in client's Industry.
• Applicants must be able to work directly for Artech on W2.

Preferred Skills & Qualifications

• Experience integrating LLM-based tooling into security workflows (alert triage, finding summarization, remediation guidance generation).
• Familiarity with one or more compliance frameworks relevant to our environment (HITRUST, HIPAA, NIST AI RMF, SOC 2).
• Prior experience working in a regulated or healthcare-adjacent environment.
• Cloud security depth in at least one major provider (AWS, Azure, GCP).
• Public contribution to AppSec community OSS, conference talks, published research, or detection/rule contributions.

Day-to-Day Responsibilities

• Application discovery and inventory across all business units, including ownership mapping, technology stack profiling, and risk tiering.
• Standing up and operating the AppSec tooling stack SAST, SCA, secrets scanning, and container/IaC scanning integrated into business unit CI/CD pipelines.
• Designing and implementing AI-assisted triage workflows on top of AppSec tooling to manage finding volume and filter false positives.
• Defining secure SDLC requirements, threat modeling practices, and security gates that business units adopt as part of their standard development process.
• Partnering with business unit development leaders to build relationships and shared playbooks needed to operationalize AppSec without becoming a blocker to delivery.
• Contributing to AI security strategy evaluating emerging tools and recommending what to operationalize and what to defer.
• Producing executive-ready metrics and reporting that connect AppSec activity to business risk reduction.

For immediate consideration please click APPLY to begin the screening process with Alex.