Application Security Analyst in City of London

Key Responsibilities

• Support and enhance the organisation's application security testing programme, leveraging approved enterprise tools for SAST, SCA, DAST, API security assessment, and penetration testing activities.
• Conduct manual analysis and security review activities across web, API, and internal applications to validate automated findings and uncover additional weaknesses.
• Triage, verify, and risk-rank vulnerabilities, partnering with engineering and application teams to ensure findings are accurately understood and remediation actions are practical and prioritised.
• Monitor and drive remediation progress, tracking closure of vulnerabilities and supporting engineering teams with root-cause analysis to reduce repeat issues.
• Contribute to secure development practices, helping to maintain secure coding standards, patterns, and reusable security controls or guardrails.
• Operate and optimise AppSec tooling within CI/CD workflows, supporting the organisation's DevSecOps journey and enabling early, automated detection of security issues.
• Provide hands-on guidance to developers, helping teams understand vulnerabilities, adopt secure patterns, and deliver applications that meet required security standards.
• Maintain comprehensive application security metrics, dashboards, and reports, ensuring technical and non-technical stakeholders have clear visibility of risk, progress, and governance alignment.

Performance Objectives

• Effectively run the application security toolset (SAST, SCA, DAST, API testing) within established SDLC and CI/CD processes, ensuring vulnerabilities are accurately identified, triaged, and communicated to engineering teams.
• Strengthen collaboration with development teams, providing high-quality remediation guidance and driving a measurable reduction in recurring application security weaknesses.
• Deliver clear, actionable AppSec reporting, maintaining dashboards and metrics that support governance, risk visibility, and informed decision-making for technical and leadership stakeholders.

Skills and Experience

Essential

• Hands-on experience in Application Security, DevSecOps, or security engineering, preferably within a large or complex technical environment.
• Practical experience deploying, tuning, and operating SAST, SCA, DAST, and API security tools as part of a structured AppSec programme.
• Strong understanding of secure coding fundamentals and common software weaknesses, including the OWASP Top 10 and MITRE CWE Top 25.
• Demonstrated experience triaging, validating, and prioritising vulnerabilities, working directly with software engineers to support remediation.
• Ability to read and interpret code in at least one common programming language (e.g., C#, JavaScript, Python).
• Knowledge of CI/CD pipelines and the integration of security tooling into developer workflows (e.g., GitHub Actions, Azure DevOps).
• Strong understanding of authentication and authorisation, including OAuth, OIDC, SSO, and role-based access control principles.
• Experience producing and maintaining security metrics, dashboards, or reporting to support governance and visibility.

Desirable

• Experience automating or contributing to DevSecOps tooling and pipelines, including scripting (e.g., Python, Bash).
• Knowledge of software supply chain security, dependency management practices, and artefact repositories (e.g., Artifactory).
• Exposure to cloud-native and containerised environments, including AWS/Azure, Kubernetes, microservices, and API-centric architectures.