RemNavi/All Jobs/Application Security Engineering
All JobsBrowse all jobs

Application security engineers protect software from vulnerabilities that external penetration testers find but developers miss — not by auditing after the fact, but by embedding security into the development lifecycle itself. They review code, build scanning pipelines, run threat-modelling sessions with engineering teams, and respond when a researcher reports a critical bug across fintech, healthcare, enterprise SaaS, and any organisation that ships code to customers who care about their data.

Three types of remote AppSec hiring right now

The product security engineer is embedded in or closely aligned with engineering teams. They participate in design reviews, perform code review for high-risk features, build SAST/DAST tooling into CI/CD, and run tabletop exercises. This is the most common AppSec hire at Series B and beyond software companies.

The security engineer focused on vulnerability management and bug bounty owns the triage and remediation lifecycle for externally reported and internally discovered vulnerabilities. They write CVEs, manage disclosure timelines, communicate with researchers, and drive remediation with product teams. HackerOne and Bugcrowd relationship management often falls here.

The AppSec platform engineer builds the security tooling infrastructure itself — secret scanning, dependency monitoring, SBOM generation, secure defaults libraries, and developer security portals. More infrastructure-leaning, often reporting into a security platform team rather than the product security team. Larger companies (Shopify, GitHub, Cloudflare) hire this profile.

Four employer types hiring remote AppSec engineers

Fintech and payments companies (Stripe, Plaid, Brex, Wise) run strict security programmes because a breach is an existential event. AppSec engineers here have high scope and board-level visibility.

Enterprise SaaS companies (Atlassian, HubSpot, Salesforce, ServiceNow) hire AppSec to manage the compliance obligations (SOC 2, ISO 27001, FedRAMP) that enterprise customers require. Expect structured processes and more stakeholder alignment.

Security-focused product companies (1Password, Crowdstrike, Okta, Snyk, Lacework) hire AppSec engineers who are themselves part of the security product story. The credibility bar is higher because customers are security teams.

Early-stage startups with compliance pressure (post-Series A companies that just signed their first enterprise contract) hire their first AppSec engineer to build a programme from scratch. High ownership, high breadth, and often equity-heavy compensation.

Stack and tools AppSec engineers use

SAST: Semgrep, Snyk Code, CodeQL, Checkmarx. DAST: Burp Suite, OWASP ZAP. Dependency scanning: Snyk, Dependabot, OWASP Dependency-Check. Secret scanning: TruffleHog, GitLeaks, GitHub Advanced Security. Fuzzing: AFL++, libFuzzer. Threat modelling: STRIDE, PASTA, draw.io for data-flow diagrams. Bug tracking: Jira, GitHub Issues, HackerOne platform.

Six things that get AppSec engineers hired remotely

Demonstrated code review depth — not just "I ran Semgrep and fixed the findings" but evidence of reviewing complex business logic for injection, IDOR, and authentication bypass that automated tools miss.

Programming language breadth — AppSec engineers who can read Python, Go, JavaScript, and Java are significantly more useful than specialists in one language. The vulnerabilities move between stacks.

Threat modelling fluency — ability to run a structured session with engineers who are not security-focused, produce a documented threat model, and translate it into engineering tickets.

Bug bounty experience — even personal HackerOne or Bugcrowd submissions demonstrate practical offensive knowledge that makes defence much stronger.

Developer empathy — the best AppSec engineers make security easy to adopt, not difficult to avoid. Candidates who describe developers as the problem rather than the partner are less effective.

Communication in writing — remote AppSec work produces security reviews, design feedback, vulnerability advisories, and developer documentation. Writing is the job.

The bottleneck most AppSec candidates hit

The most common gap is candidates who have studied security theory (certifications, CTFs) but have not worked in a software engineering environment. AppSec is applied in the context of shipping software quickly — the security review needs to fit into the sprint, the finding needs to be framed as a developer task, and the remediation needs to not break the release. Candidates who approach it as a compliance checkbox exercise rather than an engineering collaboration fail the practical screen.

What hiring looks like in practice

Code review exercise: review 200–400 lines of code in a language the candidate knows and identify security issues — typically 1–2 hours. System design (security focus): "Design the authentication system for a multi-tenant SaaS app — what are the threat vectors?" Vulnerability scenario: "A researcher reports an IDOR in our API — walk through your response." Background check: extensive, often including criminal and financial (for roles at fintech or security companies).

Red flags that screen candidates out

Certifications without practical portfolio — OSCP and CEH are signals, not substitutes for demonstrated AppSec work. Only knowing how to run tools without being able to explain what they find or miss. No evidence of working with engineering teams — AppSec that operates purely in a security silo is a liability in modern software organisations. Describing every finding as critical — severity calibration is a core skill.

Green flags that accelerate offers

A public disclosure or bug bounty report with a well-written writeup. Experience building a security champions programme or developer security training. Evidence of fixing root causes rather than symptoms — replacing a broken auth library rather than patching the individual endpoint. References from engineering managers who describe the candidate as "someone who made security part of how we build, not a bottleneck."

Gateway skills to AppSec if you are not there yet

Software engineering experience is the most direct path — engineers who pivot to security bring the developer empathy that matters most. Offensive security (CTFs, bug bounty, penetration testing) builds the attacker mindset. Security code review courses (SANS DEV544, Secure Code Warrior) bridge the gap from theory to practice. Join a company with a security champions programme and volunteer to be the champion for your team.

Frequently asked questions

Do I need a security certification to get an AppSec role? Certifications help (OSCP, GWEB, CEH) but are not required. A strong portfolio of code reviews, bug bounty findings, or open-source security contributions often outweighs them. Certifications matter more at regulated-industry companies (financial services, healthcare) where they may be required by compliance frameworks.

What salary does a remote AppSec engineer earn? Mid-level AppSec engineers at SaaS companies typically earn $150k–$200k USD. Senior AppSec engineers with threat-modelling and programme-building experience range from $200k–$270k total compensation. EU roles run €85k–€140k depending on country and seniority. Security commands a premium over equivalent engineering seniority because supply is genuinely constrained.

What is the difference between AppSec and cloud security? Application security focuses on the code — vulnerabilities in the software itself (OWASP Top 10, business logic flaws, authentication weaknesses). Cloud security (sometimes called cloud security engineering or CSE) focuses on the infrastructure — IAM misconfigurations, exposed S3 buckets, network segmentation, and cloud-native security tooling. Mature security programmes have both; smaller companies often combine them.

Is AppSec a good remote career? Yes — AppSec work is primarily asynchronous: code review, documentation, written security advisories, and async design feedback. The work does not require physical presence, and the shortage of qualified AppSec engineers makes remote hiring attractive to employers who want the best candidates regardless of location.

How does AppSec fit into a DevSecOps culture? In a DevSecOps model, AppSec engineers shift left — they participate in design, provide developer tooling, and run automated scanning in CI/CD rather than gating releases with manual reviews. The review-and-approve model is largely gone at modern software companies; the coaching-and-enabling model has replaced it.

Related resources

Skill guides for adjacent roles: Remote Security Engineer · Remote Cloud Security Engineer · Remote DevOps Engineer · Remote Backend Developer · Remote Software Architect

Typical Software Engineering salary

Category benchmark · 269 remote listings with salary data

Full Salary Index →
$204k–$293ktypical range (25th–75th pct)

Category-level benchmark for Software Engineering roles (USD). Per-role salary data for Application Security Engineering will appear here once enough salary-disclosed listings accumulate. Refreshed daily.

Current Application Security Engineering remote jobs

See all remote jobs →

Get the free Remote Salary Guide 2026

See what your salary actually buys in 24 cities worldwide. PPP-adjusted comparisons, role salary bands, and negotiation advice. Enter your email and the PDF downloads instantly.

Ready to find your next remote application security engineering role?

RemNavi aggregates remote jobs from dozens of platforms. Search, filter, and apply at the source.

Browse all remote jobs