Application Security (AppSec) Engineer

We are seeking an Application Security Engineer to build and develop our application security capability. The core mandate is security: defining how the organization designs, builds, and ships software securely — spanning secure SDLC, DevSecOps, security architecture and design, application security testing, and developer enablement. The engineer drives security into the development lifecycle and CI/CD pipelines and fundamentally reduces security risk in software.

Key Responsibilities

• Security by Design: Threat modeling, secure design review, security requirements; collaborate with architects to embed security into application design.
• Security Architecture & Solutions: Recommend and implement security controls appropriate to each application's risk profile — e.g., WAF, API security, mobile app hardening (RASP / anti-tampering).
• Application Security Testing: Operate SAST/DAST/SCA/SBOM tooling; triage findings, eliminate false positives, validate exploitability, and prioritize remediation by real risk.
• Secure SDLC & DevSecOps Integration: Embed security gates and automated checks into CI/CD pipelines.
• AppSec Maturity (OWASP SAMM): Run SAMM assessments, define the maturity roadmap, and measure improvement over time.
• Developer Enablement: Secure coding training và Security Champions program.

Job Requirements

We are looking for a highly motivated person with:

• 2-3+ years of experience with Application Security Engineering or related Security roles.
• Solid foundation in application security: OWASP Top 10 and beyond — common vulnerability classes, ability to read code and understand why a finding is (or isn't) exploitable.
• Hands-on secure SDLC & secure design: threat modeling, secure design review, security requirements.
• Strong understanding of SAST, DAST, SCA and SBOM tooling — interpreting results, triaging false positives, prioritizing by risk.
• Ability to select the right tool for the right context (judgment, not tool-operation).
• Working knowledge of CI/CD and automation as the delivery medium (Python/Bash).
• Excellent collaboration and communication skills, with the ability to work closely with developers, architects, and operations teams.
• A proactive attitude & the ability to think outside of the box
• Works in an organised, structured manner
• Can do attitude, gets things done
• Excellent communication skills with diverse audiences
• Strong critical thinking and analytical skills

Nice-to-have:

• Practical OWASP SAMM (or BSIMM) implementation experience.
• Security architecture experience: WAF, API security, mobile app shielding/RASP.
• Awareness of secure-by-design frameworks/regulations: NIST SSDF, EU Cyber Resilience Act.
• A relevant AppSec/offensive cert (OSWE, eWPTX, GWAPT, Burp Suite Certified, CSSLP) — tín hiệu lọc nền tảng security.
• IaC security (Terraform/K8s/Helm), cloud security, English.

Benefit

• Annual bonus: 2 - 3 months under minimum KPI requirement
• Fast promotion opportunities based on personal ability
• Work in a dynamic, open, creative environment
• Regular training, company team building, birthday bonus

About Concung.com

• Working time: 8:30 - 17:30 Monday - Friday
• Working place: 6th Floor, 9 Nguyen Trai Street, Pham Ngu Lao Ward, District 1, Ho Chi Minh City