Security Engineer II (AppSec)

About the Role

As a key member of the Application Security team, the Security Engineer II will have the opportunity to work on a variety of challenging projects, from designing and implementing dashboards for on-call activities to helping triage and respond to security findings and alerts generated by application security tools. This role is ideal for someone who enjoys solving security challenges collaboratively and is passionate about building scalable solutions that integrate security practices into the daily work of engineers.

The role reports to a Business Information Security Officer, providing a structured environment for professional growth and development. Nerdwallet's flexible and candid culture supports remote work, allowing team members to thrive in an environment that values openness, respect, and collaboration. Whether working remotely or in-office, the company invests in the well-being, development, and ability of its employees to make a meaningful impact, recognizing that when one team member grows, the entire team benefits.

What You Will Do

• Design and implement tools, processes, and automation that enhance the visibility of application security risks for both engineers and leadership.
• Partner with engineering and product teams to identify and remediate security gaps across multiple systems, balancing business priorities with security improvements.
• Develop and maintain dashboards and metrics that provide insights into application security posture and risk.
• Collaborate with engineers to review pull requests and provide actionable guidance on secure coding practices.
• Support operational work during security investigations or incidents affecting applications.
• Help integrate security practices into the secure development lifecycle (SDLC) across teams.
• Participate in the development of automation or tooling that streamlines application security workflows.
• Engage in regular security assessments and penetration testing to ensure the resilience of Nerdwallet's applications.
• Contribute to the growth of Nerdwallet's application security program through innovation, automation, and developer enablement.

What We Are Looking For

• 2+ years of experience in application security, software engineering, or a related security role.
• Familiarity with common web application vulnerabilities and mitigation techniques, such as the OWASP Top 10.
• Experience identifying, triaging, and remediating security vulnerabilities in applications.
• Experience working with software deployed in cloud environments, particularly AWS.
• Proficiency in Python or another scripting language used for automation.
• Comfortable reading and reviewing JavaScript or similar application code.
• Experience or interest in building automation, tooling, or processes that improve application security workflows.
• A pragmatic approach to reducing risk, balancing security improvements with product and engineering priorities.
• A curious and motivated attitude towards continuously growing application security knowledge and skills.
• Ability to work collaboratively, asking questions, seeking guidance, and debating with teammates when working through complex problems.
• Commitment to fostering a respectful, blameless, and collaborative engineering culture.

Nice to Have

• Experience with security information and event management (SIEM) systems.
• Knowledge of compliance frameworks and regulations relevant to the financial industry.
• Familiarity with agile development methodologies and version control systems like Git.
• Experience with cloud security platforms and services.
• Participation in bug bounty programs or capture the flag (CTF) challenges.

Benefits and Perks

• Competitive compensation package.
• Opportunities for professional growth and development in a rapidly expanding company.
• Flexible and remote work options, allowing for a better work-life balance.
• Comprehensive health benefits.
• Generous PTO policy.
• Access to cutting-edge technologies and tools.
• Collaborative and dynamic work environment.
• Recognition and reward for outstanding performance and contributions.

• Tip: Ensure your resume highlights specific experiences with application security tools and technologies, such as OWASP ZAP or Burp Suite.
• When applying, include a cover letter that outlines your approach to balancing security with business priorities and how you've handled such challenges in the past.
• Prepare to discuss your experience with secure coding practices and how you've helped engineers integrate security into their workflows.
• Showcase any personal projects or contributions to open-source security projects that demonstrate your skills and passion for application security.
• Be ready to walk through your thought process when approaching a complex security problem, and how you collaborate with teams to find and implement solutions.
• Highlight any certifications, such as CompTIA Security+ or CISSP, that demonstrate your expertise in security principles and practices.