Controls Application Engineer Jobs in Oregon (NOW HIRING)

We believe talent deserves a human touch. Your application will be read by an actual person who's excited to discover the real you.

Application Security Engineer

Location: Remote (United States) | Employment Type: Full-Time

About the Role

We are looking for an Application Security Engineer to join our product engineering team. You will serve as the named security function for a team building internal tooling for a portfolio of managed service provider companies, with a roadmap toward a public-facing SaaS product. This role sits inside engineering and works closely with developers and information security day to day.

The team you are joining is experienced and moves quickly. The right person for this role is comfortable operating as a peer to strong engineers, contributing practical security judgment and ensuring overall security of our solutions. As our product matures toward public availability, you will help ensure our security posture scales with it.

You should be comfortable operating in an exploratory, innovation-oriented environment where not everything will become production software. Right-sizing your security posture to the actual risk is a core expectation of this role.

Key Responsibilities

Embedded Security Partnership

Serve as the primary security resource for engineering teams in direct close coordination with information security teams, advising on design decisions, authentication patterns, and API security as features are built rather than after the fact

Conduct lightweight, developer-friendly threat modeling for new features and services, right-sized to the actual audience and risk profile (internal vs. public-facing)

Lead collaboration between engineering and information security teams through architecture and code reviews with actionable, specific guidance that helps teams ship, not slow down

Responsible for remediation and enforcement of security standards as set forth by the information security team

Define and maintain a tiered security standard that distinguishes expectations for internal tooling vs. production SaaS vs. public-facing products

Engage constructively with the enterprise security organization, translating between compliance and governance language and the engineering team's operational reality

Tooling & Automation

Responsible for adherence to GitHub Advanced Security (GHAS) configuration and security standards through ongoing tuning across code scanning, secret scanning, Dependabot, and security campaigns within GitHub Enterprise

Integrate security tooling into CI/CD pipelines as policy-as-code feedback loops, not manual gates

Develop and maintain GitHub Actions workflows with reusable, security-enforcing components

Drive remediation velocity metrics and coverage reporting across engineering teams

Cloudflare & Azure Security

Collaborate with information security teams to assess and secure workloads across both Cloudflare and Azure, including Cloudflare Workers, Access policies, WAF, and Zero Trust for public-facing infrastructure, and Azure security controls (Managed Identities, Key Vault, Defender, IAM) for internal and opco-facing services

Apply platform-appropriate security controls as our architecture spans both environments, calibrating to the risk profile of each workload

Evaluate and harden authentication flows, API security patterns, and service-to-service trust boundaries across Cloudflare and Azure environments

Contribute to container and cloud workload security as infrastructure patterns evolve

Development Contributions

Contribute to internal security tooling, automation, and integrations using Python and/or Go

Build security utilities such as vulnerability aggregation pipelines, policy enforcement tooling, or developer-facing security dashboards

Collaborate with information security and engineering teams on secure service design patterns, OAuth 2.0/OIDC flows, and API security controls

Compliance & Risk

Support SOC 2 readiness as the product matures toward public customers, mapping application security controls to Trust Services Criteria

Triage and prioritize vulnerability findings based on actual business risk rather than CVSS scores alone, distinguishing real issues from noise in a SaaS-native environment

Partner with GRC and the enterprise security organization on evidence collection and audit preparation, without allowing compliance prep to dominate engineering time

Required Qualifications

7+ years in application security, secure software development, or a closely related discipline

Demonstrated ability to operate as an embedded security partner within engineering, working side by side with developers

Deep, hands-on experience with GitHub Advanced Security or equivalent security tooling, including code scanning, secret scanning, Dependabot, and security policy enforcement within GitHub Enterprise

Experience with threat modeling methodologies (STRIDE, PASTA, or similar) applied to real-world systems, with instinct for right-sizing the process to actual risk

Proficiency in Python and/or Go, comfortable reading, writing, and reviewing production-grade code

Strong command of OWASP Top 10, common vulnerability classes, and secure design principles

Experience securing SaaS or product engineering workloads rather than enterprise IT or perimeter-focused environments

Experience securing workloads on Cloudflare (WAF, Access, Zero Trust, Workers) and Microsoft Azure (IAM, Managed Identities, Key Vault, Defender), with demonstrated depth in one and working familiarity in the other

Solid understanding of container security concepts with hands-on Docker experience

Excellent communication skills, with the ability to translate complex security risk into developer-actionable guidance and executive-level business context

Familiarity with SOC 2 Trust Services Criteria and how application security controls map to compliance requirements

Expected Compensation to be $160k and up Dependent on Experience.

Preferred Qualifications

Experience with DAST tooling (e.g., OWASP ZAP, Burp Suite Pro) integrated into automated pipelines

Familiarity with infrastructure-as-code security scanning (Terraform or similar)

Experience with API security standards including OAuth 2.0, OpenID Connect, and API gateway security patterns

Relevant certifications such as CSSLP, GWEB, or OSCP

AI/LLM security awareness, with a practical understanding of how AI-powered applications introduce unique security considerations including prompt injection, data exposure, and model supply chain risks

Familiarity with MCP (Model Context Protocol) server architectures and the security implications of LLM-to-tool integrations

Exposure to OWASP Top 10 for LLM Applications or similar emerging AI security frameworks

What Success Looks Like

In this role, success means developers ship more secure code faster, not slower. You earn trust by speaking the language of engineering, making the secure path the easy path, and knowing when to raise a flag versus when to let something ship. You apply proportionate security judgment across a spectrum from exploratory internal tooling to production SaaS, and you never mistake compliance theater for actual security.

The ideal candidate brings the depth to identify serious security issues, the engineering credibility to help teams fix them at scale, and the pragmatism to distinguish real risk from noise in a SaaS-native, developer-first environment.

Who We are:

At New Charter, we're building a caliber of business the IT industry hasn't yet seen. We are serving small-to-medium sized businesses in 10+ industries across North America, and we deliver best-in-class technology solutions to propel our clients into the digital world.

At New Charter Technologies, we're investing in our people - through growth and learning initiatives, employee benefits, company innovation, and more. We are constantly seeking a diverse candidate backgrounds and perspectives to amplify inclusive hiring practices for each job opening. Our partner companies have career paths for many different role types, whether you want to be deeply technical or whiteboarding with clients, and we are committed to developing fulfilling career paths for all contributors at New Charter Technologies. (Please note: Every application submitted through Workday is reviewed by a real person, not an AI. We value your time and take each submission seriously.)

Our teams are dedicated to pioneering breakthrough technologies, disruptive solutions, and transformative strategies. We're the architects of change, fostering an environment where bold ideas take flight, and creativity knows no bounds. At New Charter Technologies, we've embraced the idea that every individual brings something special to the table. Our foundation is based on the belief that each team member plays a crucial role in our collective success.

Ready to be part of a dynamic and supportive community where your unique skills and personality shine? We're on a mission to make a difference, and we want you to be part of the story. Let's transform the world together and build a career that's as unique as you are!

We are looking for driven and passionate people who are excited to work in an incredibly rewarding environment. So, if you are ready to learn, be inspired, solve problems, and grow professionally, apply today!Learn more here:Why New Charter.

New Charter Technologies is committed to creating an inclusive environment and is proud to be an equal opportunity employer. New Charter recruits, employs, trains, compensates, and promotes regardless of race, color, religion, sex, sexual orientation, gender identity, national origin, veteran, or disability status.