For our client, a global leader in enterprise workflow and digital transformation solutions, we are looking for an Application Security Engineer to join the Global Security Support Center (GSSC) - Fully Remote.
Ref.: 121734
In this hands-on role, you will be responsible for managing the lifecycle of security findings reported by customers and penetration testers. You will validate and assess vulnerabilities, reproduce issues in lab environments, perform code reviews, and work closely with engineering teams to drive remediation efforts. The position requires strong technical expertise, analytical thinking, and the ability to communicate security risks effectively to both technical and business stakeholders.
Your Responsibilities
- Triage and validate security findings submitted by customers and penetration testers.
- Assess exploitability, scope, business impact, and remediation paths for reported vulnerabilities.
- Analyze platform-level vulnerabilities across web applications, APIs, and server-side components.
- Investigate security issues including SSRF, IDOR, SQL Injection, XSS, GraphQL abuse, privilege escalation, server-side injection, and related attack vectors.
- Reproduce and verify vulnerabilities in lab environments.
- Perform code reviews and trace attack paths across JavaScript and Java codebases.
- Prepare customer-facing security assessments and risk evaluations.
- Collaborate with engineering teams on defect management, remediation planning, patch validation, and fix verification.
- Apply risk-based decision making and provide recommendations for mitigation strategies.
Required Qualifications
- 3+ years of experience in Application Security, Product Security, Penetration Testing, Bug Bounty, or a related security discipline.
- Strong understanding of application security principles and common attack vectors.
- Hands-on experience with vulnerability validation, security testing, and risk assessment.
- Solid knowledge of OWASP Top 10 and modern application security threats.
- Experienceanalyzing vulnerabilities such as:
- SSRF
- IDOR
- SQL Injection
- XSS
- Privilege Escalation
- GraphQL Security Issues
- Prototype Pollution
- Server-Side Injection
- Ability to read and analyze JavaScript and Java code.
- Experience writing technical security reports for both engineering and executive audiences.
- Strong understanding of CVSS scoring and vulnerability risk assessment.
- Excellent communication and stakeholder management skills.
Nice to Have
- Advanced ServiceNow platform experience (e.g., custom app development or deep familiarity with the ACL model and scoping boundaries)
- Background in customer-facing security roles or managed security services.
- Experience working with bug bounty programs and vulnerability disclosure processes.
- Security certifications such as GWEB, GWAPT, OSCP, or equivalent.
- Experience with secure software development practices and application architecture reviews.
What We Offer
- Opportunity to work on complex and high-impact security challenges.
- Exposure to large-scale enterprise applications and modern cloud environments.
- Collaboration with experienced security and engineering teams.
- International and dynamic work environment.
- Professional growth and continuous learning opportunities.
For over 30 years, Nash direct has been helping remarkable people to win exciting roles at world-leading technology companies in Germany. Our Mission is to give our employees the best possible experience in working with us.
Interested? Then we would love to receive your application.
For more information on the role please get in touch with Marlena Marzano Monterosso.
Marlena Marzano Monterosso
Senior Recruiter
Nash direct GmbH
Leonrodstraße 52
80636 München
Mobile: +49 89 839306241
Email: marlena.marzano@nashdirect.de
