Contract – Application Security Engineer
Upwork
contract
Posted on:
Location Type: Remote
Location: Anywhere in Latin America
Visit company websiteExplore more
Tech Stack
About the role
- Analyze and validate findings from SAST, DAST, and SCA tools, including:
- SonarQube
- VeraCode (SourceClear)
- NetSparker (Invicti)
- Chariot (by Praetorian)
- Other common commercial and open-source scanning tools
- Distinguish true positives from false positives and provide clear, developer-friendly explanations of confirmed issues.
- Assess vulnerability severity and exploitability in real-world application contexts.
- Triage and validate submissions from the bug bounty program.
- Reproduce reported issues and provide technical validation using tools such as BurpSuite.
- Collaborate with internal teams to track remediation and confirm fixes.
- Work directly with application and platform engineers to:
- Explain findings and root causes.
- Provide remediation guidance and secure coding recommendations.
- Help improve signal-to-noise ratio in security findings by refining workflows and feedback loops.
- Leveraging AI and automation to remove repeatable processes.
- Contribute to improving vulnerability triage processes and documentation.
- Identify recurring vulnerability patterns and recommend preventive controls.
- Support reporting and metrics related to application security risk.
Requirements
- 3–6 years of experience in application security, product security, or vulnerability management.
- Strong hands-on experience reviewing and interpreting scan results from SAST, DAST, and SCA tools.
- Practical understanding of common application vulnerabilities, including:
- OWASP Top 10.
- Injection flaws, authentication issues, access control problems (incl. IDOR), insecure dependencies.
- Ability to read and reason about application code (e.g., Java, JavaScript, Python, Go, etc.) for the purpose of vulnerability analysis.
- Experience working with or triaging findings from a bug bounty or responsible disclosure program.
- Strong written and verbal communication skills, especially when translating security findings for developers.
- Familiarity with CI/CD security integrations.
- Experience with cloud-native or SaaS application environments.
- Understanding of API security testing and findings.
- Exposure to threat modeling or secure design reviews.
- Experience working in a DevSecOps or product security team.
Benefits
- Upwork is proudly committed to fostering a diverse and inclusive workforce. We never discriminate based on race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical condition), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics.
- Please note that a criminal background check may be required once a conditional job offer is made. Qualified applicants with arrest or conviction records will be considered in accordance with applicable law, including the California Fair Chance Act and local Fair Chance ordinances. The Company is committed to conducting an individualized assessment and giving all individuals a fair opportunity to provide relevant information or context before making any final employment decision.
Applicant Tracking System Keywords
Tip: use these terms in your resume and cover letter to boost ATS matches.
Hard Skills & Tools
SASTDASTSCAvulnerability managementapplication securityJavaJavaScriptPythonGoAPI security testing
Soft Skills
communication skillscollaborationproblem-solvinganalytical skillstechnical validationremediation guidanceworkflow refinementdocumentationtranslating findingsvulnerability analysis