Application Security Engineer

Role Description: As an Application Security Engineer at Booking.com, you will play a critical role in safeguarding one of the world's largest online travel platforms. This position sits at the intersection of security and software development, focusing on identifying, preventing, and mitigating security vulnerabilities throughout the application development lifecycle. In this role, you will collaborate with development teams to implement secure coding practices, conduct security assessments of applications, and develop automated security testing solutions. You'll leverage your expertise in vulnerability assessment, and secure software development to protect Booking.com's extensive digital infrastructure and the sensitive data of millions of users worldwide. The ideal candidate combines strong technical security knowledge with excellent communication skills to effectively partner with cross-functional teams in Booking.com's dynamic, global environment. This position offers the opportunity to make a significant impact on the security posture of a technology leader in the travel industry. Key Responsibilities - Manage and triage vulnerability reports from HackerOne and internal assessments, conduct validation and impact analysis, and maintain comprehensive tracking dashboards for security posture visibility - Partner with development teams to communicate vulnerability details, provide remediation guidance, review proposed fixes, and facilitate security design reviews and threat modeling sessions - Conduct manual security testing, code reviews, and penetration testing of applications and APIs while developing automated vulnerability scanning processes for CI/CD integration - Coordinate with bug bounty platforms to optimize program scopes and researcher engagement, manage responsible disclosure processes, and maintain relationships with external security researchers - Lead security incident response for critical vulnerabilities, prepare executive reports on security risk posture, and develop security training materials and workshops for development teams - Collaborate with development teams to implement secure coding practices and review application architectures for security considerations - Provide guidance and training to development teams on application security best practices - Stay current on emerging threats and vulnerabilities to proactively enhance security controls What We Are Looking For - Bachelor's degree in Computer Science, Cybersecurity, or a related field, or equivalent experience - 3-5 years years of experience in application security or information security roles with at least 1 years fulltime and exclusive experience in the given area of vulnerability management. - Demonstrated experience configuring and managing Web Application Firewall solutions (e.g., AWS WAF, Cloudflare, F5, Imperva) - Strong understanding of OWASP Top 10 vulnerabilities and mitigation strategies - Knowledge of secure coding practices and common web application vulnerabilities - Scripting and automation skills using Python, or similar languages - Knowledge of DevSecOps practices and tools for integrating security into CI/CD pipelines - Excellent communication skills to explain technical security concepts to non-technical stakeholders - Knowledge of compliance requirements related to application security (e.g., PCI DSS, GDPR) Nice to Have - Security certifications such as OSCP, OSWA and OSWE. - Experience with cloud security and securing applications in AWS, Azure, or GCP environments - Experience with API security and securing microservices architectures - Experience with threat modeling and risk assessment methodologies - Contributions to the security community through research, blog posts, or open-source projects