Application Security Engineer

The Associated Press is an independent global news organization dedicated to factual reporting. Founded in 1846, AP today remains the most trusted source of fast, accurate, unbiasednews in all formats and the essential provider of the technology and services vital to the news business. More than half the world's population sees AP journalism every day.

The Associated Press seeks an Application Security Engineer to join our Information Security Team. This is a full-time, US-based position and reports to our Senior Director of Information Security.

In this role, you will create, execute, and manage remediation action plans which help The AP identify and assess its information security and privacy standards, set priorities, and mitigate vulnerabilities across our application landscape. This role also includes working closely with partner teams in the technology department to create and review processes and help develop a comprehensive, organization-wide vulnerability management program.

This is a key role that will focus on ensuring the adoption, deployment, fine-tuning, and development of tools, services, and processes that enable security controls in the software development lifecycle (SDLC). This role will work closely with Development and DevOps teams to define security processes and integrations that support existing workflows and pipelines. This role will work across all aspects of the Application Security team (Engineering, Operations, Testing, and Vulnerability Management) to ensure an efficient and effective Application Security Pipeline.

The Application Security Engineer will work with technology and business partners to help improve the security posture and design of both our enterprise and consumer-facing products. You are comfortable balancing security priorities within a fast-paced, highly diversified environment to support news operations, technology, and key business stakeholders. You can assess complex problems within your scope of responsibility and create solutions that require in-depth analysis and knowledge of organizational objectives.

Key Responsibilities:

• Provide input for AppSec strategy across the organization
• Identify and assess security risks in AP products
• Work with internal teams to effectively address and remediate risks across products and applications
• Serve as a resource to collaborate with our development and operations teams to integrate secure practices into our CI/CD pipelines
• Perform application security assessments on applications and systems to proactively identify vulnerabilities and threats against applications and features
• Assist with the creation of security policies, procedures, and standards, ensuring adherence to modern DevSecOps best practices
• Provide specific risk assessment and remediation guidelines for developers and business owners
• Educate and train product teams on security topics and skills as they relate to their products' security posture
• Perform design reviews, application threat modeling, and code reviews of upcoming features and products
• Creating or guiding security controls, including scan rules/policies, WAF rules/policies, and SIEM alerts or dashboards

Requirements:

• Minimum two (2) years experience in an Application Security role, or four (4) years experience as an engineer or administrator of enterprise security technology platforms
• Independently run Application Security scanners and perform false positive analysis on results for code analysis, composition analysis, and automated dynamic analysis
• Independently run end-to-end security assessments for web applications, rating and conveying findings based on internal risk-rating systems
• Working experience with source-to-sink analysis
• Working experience with reachability analysis strategies
• Ability to work for rotating on-call schedules as needed
• Ability to determine organizational risk of findings from different Application Security tools and scanners
• Knowledge of Information Security and emerging trends, threats, attack techniques and mitigation methods
• Strong knowledge of cybersecurity principles and best practices for managing risks against products and applications
• Mastery of Application Security frameworks, standards, and controls
• Working experience with various OWASP resources, including the OWASP Top 10, ASVS, and A.I. controls
• Understanding of MITRE CWE and CAPEC and how they align with Application Security, Vulnerability Management, or Threat Modeling exercises
• Experience with performing security reviews of new products or features
• Ability to communicate where and how security fits in all stages of the DevSecOps Cycle
• Strong understanding of at least one (1) of the following programming languages: Python, JavaScript, C#, Java, Go, or Rust
• Experience using a debugger
• Ability to find and relate recent Cyber Threat Intelligence to security reviews of products and applications
• Experience with documenting findings, remediations, and workable proof-of-concept exploits, in the form of reports, tickets, pull requests, etc.
• Proactive, flexible, responsive, and resourceful work habits:




• Ability to work independently and collaboratively as a small team member
• Excellent organization and prioritization skills
• Ability to manage multiple projects and thrive in a fast-paced environment
• Strong attention to detail and analytical skills
• Strong communication and interpersonal skills

What will set you apart:

• Experience with full-stack web application development
• CTF experience with an emphasis on web exploitation
• Expertise in any one (1) threat modeling methodology or approach
• Training or certifications related to the professional duties of Application Security: Offensive Security, SANS, etc.
• Involvement with local or global security communities
• Experience with maintaining information security blogs, video blogs, event talks, etc.
• Prior experience in any of the following roles: Vulnerability Analysis/Research, Cloud Security, Cyber Threat Intelligence, Red Teaming, Adversary Emulation, etc.
• Direct experience with NIST-based risk assessments or relevant literature
• Experience with NIST-based security compliance frameworks and standards and/or experience with ISO 27001 and SOC2 compliance standards
• Independent working experience in any IT or Cybersecurity-adjacent discipline (systems engineering and security, vulnerability research, etc.)
• Working experience with LLM security frameworks, including OWASP LLM Top 10 and MITRE ATLAS

Advanced-level professional competency in written and spoken English language is required.

The application period will expire at 11:59pm on September 29, 2025.

The anticipated salary range for this position is $120,000 - $130,000 - contingent on experience and other job-related factors. Employees are eligible to participate, according to the terms of the official plan documents, in a 401(k) plan, employer-sponsored health insurance plan, and are eligible for paid time off and holidays in accordance with AP policy.

AP seeks to build an inclusive organization grounded in respect for differences. We support all aspects of diversity and provide equal employment opportunities to all employees and applicants without regard to race, color, religion, sex, marital status, national origin, age, sexual orientation, gender identity, disability, status as a veteran, or other characteristic protected by law.