Application Security Engineer.

An engineer who owns the security of an organization's software — threat modeling, secure design reviews, SAST/DAST/SCA tooling, secrets and dependency hygiene, security training, and partnership with development teams to fix what's found. Cette notion relève de la catégorie Rôles et carrières en cybersécurité.

An engineer who owns the security of an organization's software — threat modeling, secure design reviews, SAST/DAST/SCA tooling, secrets and dependency hygiene, security training, and partnership with development teams to fix what's found.

An Application Security (AppSec) engineer is the role that owns secure-software outcomes inside a product or platform organization. The work spans both proactive and reactive surfaces. Proactively: building threat models for new services, running design reviews against OWASP ASVS/MASVS controls, deploying and tuning SAST/SCA/DAST/IAST/secrets-scanning tooling in CI, running bug-bounty triage, building paved-road libraries and frameworks that make secure defaults the easy path, and delivering developer-facing security training. Reactively: responding to externally reported vulnerabilities, coordinating disclosure, and partnering with engineering on fixes and tests. Strong AppSec engineers know modern web (OWASP Top 10, browser security headers, JWT/OAuth pitfalls), API security, mobile AppSec when relevant, cloud-native and Kubernetes context, supply-chain (SBOM, SLSA, sigstore), and at least one programming language well enough to write fixes themselves. Certifications often associated with the role include OSCP, OSWE, GIAC GWAPT / GMOB, and CSSLP, though most senior AppSec engineers are valued more for shipped track record than certification.

Les défenses contre Application Security Engineer combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : AppSec engineer, Product security engineer.