Application Security Engineer at Nerdy

Remote - São Paulo, SP

Apply

We are seeking an experienced Application Security Engineer to serve as a trusted partner to our software development teams. This role focuses on making our product secure by design—embedding security into how software is architected, written, deployed, and maintained. Unlike infrastructure security roles, this position centers on application-layer and code-level security, working closely with developers to enable fast, confident delivery by providing meaningful, actionable security tooling and feedback. This includes leveraging modern AI‑assisted techniques to accelerate vulnerability analysis, exploit chaining, and demonstration of actual risk. You will ensure engineering teams move faster—not slower—while minimizing noise. This role is part of the IT & Security team and prioritizes embedding guardrails into developer workflows rather than enforcement gates. Responsibilities include enabling engineering teams to move quickly while embedding security into development workflows; partnering with engineering on secure use of AI services, evaluating controls such as AI gateways, prompt inspection, and policy enforcement; identifying, prioritizing, and implementing security tooling in developer environments and CI/CD pipelines with AI‑assisted triage; collaborating with developers to identify vulnerabilities in code, APIs, and dependencies; demonstrating practical exploit techniques to raise security awareness and drive remediation; analyzing vulnerabilities across code, dependencies, APIs, and logic with AI‑assisted techniques; building or adapting automation scripts and tools for continuous security validation; providing coaching, documentation, and embedded training; continuously evaluating emerging AI and application security threats and detection techniques; leading incident response activities as part of the incident commander rotation; and driving continuous improvement of incident response runbooks and playbooks.

Requirements

Experience

  • Experience as an Application Security Engineer, Security Consultant, or Security-focused Software Engineer
  • Strong understanding of secure coding practices and common vulnerability patterns
  • Ability to apply common web application attack techniques and create proof‑of‑concept exploits to validate whether vulnerabilities are exploitable in our environment
  • Proven ability to analyze exploit chains and demonstrate actual risk, leveraging AI to accelerate discovery and validation
  • Hands‑on experience integrating security tooling into CI/CD pipelines
  • Familiarity with Ruby, Go, JavaScript/React, and related frameworks
  • Deep familiarity with OWASP guidance, including the OWASP Top 10, Application Security Verification Standard (ASVS), and Secure Coding Guidelines
  • Partner with DevOps to embed application security into CI/CD pipeline design and practices
  • Ability to assess and communicate application risk in architectural and business context
  • Comfortable demonstrating real‑world exploits to technical and non‑technical stakeholders
  • Excellent written and verbal communication skills in an async‑first, remote environment

Skills

  • Strong understanding of secure coding practices
  • Knowledge of common vulnerability patterns
  • Application of web application attack techniques
  • Proof‑of‑concept exploit creation
  • Exploit chain analysis
  • Security tooling integration into CI/CD
  • Familiarity with Ruby, Go, JavaScript/React
  • OWASP Top 10, ASVS, Secure Coding Guidelines
  • Embedding security into CI/CD design
  • Application risk assessment
  • Exploit demonstration to stakeholders
  • Written and verbal communication

Responsibilities

  • Enable engineering teams to move quickly while embedding security into development workflows
  • Partner with engineering on secure use of AI services, evaluating controls such as AI gateways, prompt inspection, and policy enforcement
  • Identify, prioritize, and implement security tooling in developer environments and CI/CD pipelines, with AI‑assisted triage to reduce noise and highlight exploitable risks
  • Collaborate with developers to identify vulnerabilities in code, APIs, and dependencies; improve secure coding awareness; and participate in design reviews and threat modeling
  • Demonstrate practical exploit techniques to raise security awareness and drive remediation, including chaining multiple weaknesses across services to illustrate end‑to‑end risk
  • Analyze vulnerabilities across code, dependencies, APIs, and logic, with AI‑assisted techniques to identify and prioritize exploit chains
  • Build or adapt automation scripts and tools for continuous security validation, using AI copilots to accelerate script generation and validation
  • Provide coaching, documentation, and embedded training to help developers understand and apply security guidance within their workflows
  • Continuously evaluate emerging AI and application security threats and detection techniques
  • Lead incident response activities as part of the incident commander rotation
  • Drive continuous improvement of incident response runbooks and playbooks

Technologies

RubyGoJavaScript/ReactAI

See if your resume is ready for this job

See how our AI can optimize your resume and improve your chances for this role.