Application Security Engineer

1. Job Responsibilities 1. Responsible for building the security system for enterprise applications across all scenarios, executing security testing, implementing AI security, and managing security operations to ensure the security of the application lifecycle and promote the engineering of security capabilities. 2. Application Security System Construction (1) Participate in business requirements/product security reviews, identify and output security control measures; assist in security design, threat modeling (STRIDE), and the implementation of security left-shift. (2) Maintain application security design specifications and provide security training to development and testing teams. 3. Application Security Testing (SAST/IAST/Penetration/Component Analysis) (1) Responsible for the daily operation of the SAST platform (task configuration, initial vulnerability review/fix tracking) and rule iteration; collaboratively maintain IAST probes, and automate vulnerability detection and verification. (2) Conduct vulnerability analysis and investigation of components (Log4j, Fastjson, etc.); use tools like Burp Suite and SQLMap to perform penetration testing, output vulnerability reports, and promote fixes. (3) Configure security plugins/gates in the CI/CD pipeline to block the deployment of high-risk vulnerabilities. 4. AI Security Specialization (1) Participate in security reviews of AI applications (large models, etc.), design test cases, and execute adversarial testing. (2) Participate in the formulation and promotion of AI security standards, and track security risks in AI applications. 5. Security Operations and Governance Maintain an application security knowledge base, follow up on vulnerabilities such as OWASP Top 10 and CVE, and output security measurement data and reports. 2. Job Requirements 1. Basic Requirements: Bachelor's degree or above in Computer Science/Information Security or related fields, with 3+ years of application security work experience. 2. Core Skills (1) Security Technology: Familiar with the principles of common vulnerabilities such as SQL injection, XSS, CSRF, and possess the ability to discover and fix vulnerabilities; proficient in using SAST/IAST tools (SonarQube, Burp Suite, etc.) and penetration testing tools. (2) Engineering Capability: Understand CI/CD pipelines (Jenkins, GitLab CI), able to complete security plugin configuration and integration; proficient in languages such as Python/Java, capable of writing POCs or automated test scripts. (3) AI Security: Understand the basic principles of large models and OWASP Top 10 for LLM risks; experience in testing AI applications is preferred. 3. Soft Skills: Possess clear vulnerability risk communication skills, able to efficiently drive development fixes; good documentation writing, teamwork, and cross-team communication skills, capable of completing complex tasks under the guidance of senior engineers.