Job Openings Application Security Engineer (SAST/OWASP) — Hybrid Braga (2 days/week in office)

About the job Application Security Engineer (SAST/OWASP) — Hybrid Braga (2 days/week in office)

Application Security Engineer (SAST/OWASP) — Hybrid Braga (2 days/week in office)

ABOUT THE OPPORTUNITY

Join a globally recognised leader in application security — trusted by more than 1,800 enterprises, including 40% of the Fortune 100. This organisation sits at the intersection of developer tooling and cybersecurity, helping the world's most demanding engineering teams ship secure code at scale.

As an Application Security Engineer, you will work directly with strategic customers to deliver high-impact security engagements, embedded in the Global Services team as a trusted expert bridging the gap between security findings and real-world remediation.

PROJECT & CONTEXT

You will support top-tier enterprise customers conducting deep security-focused code reviews using a best-in-class SAST platform. Engagements span a broad range of stacks — from legacy Java monoliths to modern microservices in Go and Python.

Day-to-day, you will:

  • Perform static code analysis across Java, .NET/C#, JavaScript/TypeScript, Go, Python, and open-source libraries.
  • Advise AppSec and Dev teams on mitigation strategies aligned to OWASP Web Top 10 (2021), OWASP API Security Top 10 (2023), OWASP Mobile Top 10, and PCI-DSS v4.0.
  • Develop proof-of-concept exploits to demonstrate vulnerability exploitability and support prioritisation decisions.
  • Support customer teams in triaging and analysing complex application security findings.
  • Occasional international travel to customer sites (< 10% of time).

WHAT WE'RE LOOKING FOR | Required

  • 5+ years of hands-on software development in one or more of: Java, .NET/C#, JavaScript/TypeScript, Go, Python.
  • 5+ years conducting security-focused code reviews, with solid knowledge of OWASP Web Top 10 (2021), OWASP API Security Top 10 (2023), OWASP Mobile Top 10, and PCI-DSS v4.0.
  • Proven SAST experience — ability to identify, classify, and prioritise vulnerabilities across diverse codebases.
  • Hands-on experience creating proof-of-concept exploits to illustrate real-world attack vectors.
  • Strong communication skills — able to translate security findings into actionable guidance for both technical and non-technical stakeholders.
  • Proactive, self-managed working style suited to a distributed team environment.
  • Fluent English (written and spoken) — required for all customer-facing engagements.
  • Bachelor's degree (or equivalent) in Computer Science, Information Security, or a related technical discipline.

NICE TO HAVE | Preferred

  • Experience with Checkmarx One or comparable SAST/SCA tools (Veracode, Fortify, Semgrep).
  • Knowledge of Software Composition Analysis (SCA) and software supply chain security.
  • Relevant certifications: OSCP, GWEB, CSSLP, or CEH.
  • Experience within enterprise AppSec programmes or DevSecOps pipelines.
  • Cloud-native security exposure (AWS, Azure, or GCP).
  • Additional languages (Portuguese, German, French) are a plus given the global customer base.

Compensation: €2,565 – €3,420/month net, depending on experience and seniority level.

Why HumanIT people stay (4.4 Glassdoor, 89% recommend)

  • 15th month salary
  • Health insurance covering your family
  • Birthday off
  • Mobility program for digital nomads
  • Real work-life balance

Full benefits https://www.humanit.pt/careers/#perks
What it's really like https://www.humanit.pt/careers/#work-at


Or refer someone