Job Summary:
IDEXX Laboratories is seeking a Senior Application Security Engineer to join our Product & Application Security team protecting applications across development teams. This role combines hands-on security testing with strategic partnership - you will conduct security assessments, perform threat modeling, and work directly with developers to build security into products from the start.
Responsibilities:
• Conduct security architecture reviews and threat modeling sessions with development teams using STRIDE methodology
• Perform application security assessments across 20+ security verification service offerings including SAST/DAST analysis, manual code review, API security testing, authentication/authorization testing, and vulnerability validation
• Execute hands-on security testing of web applications, APIs, mobile applications, and cloud-native services
• Analyze and validate security findings from automated tools (GitHub Advanced Security, Synack, Tenable, AquaSec) and provide actionable remediation guidance
• Support penetration testing engagements and coordinate with third-party security assessment vendors (Synack ST+)
• Build and maintain security verification tooling, scripts, and automation to improve assessment efficiency and coverage
• Develop custom security testing scripts and proof-of-concept exploits to validate vulnerabilities
• Contribute to security tooling integration within CI/CD pipelines (GitHub Actions, GHAS CodeQL, secret scanning)
• Create reusable security patterns, code snippets, and reference implementations for common security controls
• Partner with Security Champions across 36 development teams to provide security design guidance and implementation support
• Deliver security training and enablement sessions on secure coding practices, common vulnerabilities, and threat modeling
• Provide just-in-time security guidance during sprint planning, design reviews, and code reviews
• Translate security findings into developer-friendly remediation guidance with code examples and implementation patterns
• Support Security Champions with security questions, design reviews, and knowledge sharing
• Contribute to SSDLC policy development and security requirements documentation grounded in OWASP SAMM practices
• Define and refine security verification service offerings based on application risk profiles
• Support the standardization of security assessment intake, execution, and reporting processes via ServiceNow
• Maintain security verification documentation including testing methodologies, checklists, and runbooks
• Track and report on security assessment metrics including coverage, finding severity distribution, and remediation timelines
Qualifications:
Required:
• 5 to 7+ years of experience in application security, software security engineering, or related roles
• Hands-on experience conducting security assessments including code review, penetration testing, or vulnerability analysis
• Demonstrated ability to threat model applications and identify security design flaws
• Proficiency with application security testing tools and methodologies
• Strong understanding of at least one programming language and web application architecture
• Experience working directly with development teams to remediate security findings
Preferred:
• GIAC Web Application Penetration Tester (GWAPT), Offensive Security Certified Professional (OSCP), or Certified Application Security Engineer (CASE) certification
• Experience with GitHub Advanced Security (GHAS) including CodeQL, Dependabot, and secret scanning
• Background in software development or DevOps with a transition to security
• Familiarity with OWASP SAMM, BSIMM, or similar secure development maturity frameworks
• Experience operating a Security Champions program or developer security enablement initiative
• Prior work in regulated industries (healthcare, financial services, government)
• Contributions to open source security tools or vulnerability research
• Strong understanding of common web application vulnerabilities (OWASP Top 10, SANS Top 25) and secure coding practices
• Practical experience conducting security assessments including SAST/DAST analysis, manual code review, and penetration testing
• Proficiency with application security testing tools (Burp Suite, OWASP ZAP, or similar)
• Solid understanding of at least two programming languages (Python, Java, C#, JavaScript, Go) sufficient to review code for security issues
• Experience with API security testing (REST, GraphQL, SOAP) and authentication/authorization mechanisms (OAuth, SAML, JWT)
• Working knowledge of CI/CD security integration and tools like GitHub Advanced Security, SonarQube, or Snyk
• Strong grasp of threat modeling methodologies (STRIDE preferred) and risk assessment
• Understanding of secure architecture principles and security design patterns
• Familiarity with cloud security fundamentals (AWS, Azure, or GCP)
• Knowledge of vulnerability scoring systems (CVSS, EPSS) and prioritization frameworks
• Awareness of compliance requirements (SOC 2, GDPR, HIPAA) and how they apply to application security
• Ability to communicate complex security issues clearly to both technical and non-technical audiences
• Skill in building trust and partnerships with development teams rather than acting as a gatekeeper
• Comfort working in a fast-paced agile environment where security must enable delivery
• Experience mentoring or enabling developers on security topics
• Track record of translating security findings into practical, actionable remediation guidance
Company:
10,000+ people, one global focus - enhancing the health and well-being of pets, people, and livestock We are passionate about what we do at IDEXX – and why wouldn’t we be? When you’re working to raise the standard of care for pets, make drinking water safe for billions and keep our livestock population around the globe healthy and free of disease, it’s no wonder that what we do each day is more than just a job. Founded in 1983, the company is headquartered in Westbrook, USA, with a team of 10001+ employees. The company is currently Late Stage.