Senior Application Security Engineer

Job Description Summary

This position is responsible for ensuring that the Company’s applications, APIs, and edge delivery platforms are secure from vulnerabilities and malicious attacks that may compromise systems, data, or intellectual property. This role performs application security engineering tasks including secure code analysis, vulnerability scanning, CDN/WAF protection, threat detection, and remediation, while supporting enterprise DevSecOps initiatives.

Job Overview

Callaway is seeking a Senior Application Security Engineer to support the design, implementation, and governance of security controls across modern application environments. This role focuses on securing the full application lifecycle through secure code review, runtime application protection and application vulnerability assessment, while strengthening protections across cloud-native platforms and edge delivery.

The ideal candidate will have strong hands-on experience in application security, DevSecOps, and modern web application architectures, with the ability to partner closely with engineering teams to identify, prioritize, and remediate security risks across development, runtime, and external attack surfaces.

Roles and Responsibilities

• Implement and maintain application security controls across Azure-based and cloud-native environments
• Integrate GitHub Advanced Security (GHAS) including CodeQL, Dependabot, and Secret Scanning into CI/CD pipelines
• Perform secure code reviews and enforce secure development best practices
• Deploy and manage Tenable for application vulnerability scanning (DAST), including authenticated and unauthenticated scans
• Identify, prioritize, and remediate application and API vulnerabilities based on risk and exploitability
• Configure and optimize CDN/WAF protections using Cloudflare and Vercel, including rate limiting, bot mitigation, and custom rules
• Protect applications from OWASP Top 10 threats, API abuse, credential stuffing, and Layer 7 DDoS attacks
• Secure application authentication and authorization using Azure AD (Entra ID), OAuth2, and OIDC
• Integrate application, CDN, and identity logs into SIEM platforms (Sumo Logic) for monitoring and detection
• Develop and tune detection rules for threats such as WAF bypass, API misuse, and anomalous authentication activity
• Partner with DevOps and engineering teams to embed security into CI/CD pipelines and infrastructure workflows
• Implement and enforce secure use of Azure services (Key Vault, API Management, Defender for Cloud)
• Automate security controls using APIs, policy-as-code (Azure Policy), and detection-as-code frameworks
• Contribute to application security standards, architecture patterns, and best practices
• Provide guidance, mentorship, and training to development teams on secure coding and application security

Technical Competencies (Knowledge, Skills & Abilities)

• Strong understanding of application security principles including OWASP Top 10 and API Security Top 10
• Experience with GitHub Advanced Security (CodeQL, Dependabot, Secret Scanning)
• Hands-on experience with Tenable or similar DAST tools for application scanning
• Experience with CDN/WAF platforms such as Cloudflare and/or Vercel
• Knowledge of authentication and authorization standards (OAuth2, OIDC, JWT)
• Familiarity with Azure cloud security services (App Services, AKS, Key Vault, APIM, Entra ID)
• Experience integrating logs and telemetry into SIEM platforms (Sumo Logic preferred)
• Understanding of DevSecOps practices and CI/CD pipeline security
• Knowledge of containerized and microservices architectures
• Strong analytical, troubleshooting, and problem-solving skills
• Ability to work collaboratively with development and platform engineering teams

Education & Experience

• 5–10+ years of experience in Application Security, DevSecOps, or related field
• Bachelor’s degree in Computer Science, Information Security, or related discipline, or equivalent experience
• Hands-on experience with:

Azure cloud platforms

Application security tooling (GHAS, Tenable)

CI/CD pipelines (GitHub, Azure DevOps)

• Experience with CDN/WAF technologies and edge security strongly preferred
• Familiarity with SIEM and detection engineering concepts (Sumo Logic preferred)
• Relevant certifications preferred (e.g., AZ-500, CISSP, CSSLP, OSCP)