Application Security Engineer

US base salary range: $76,000 - $95,000 DOE

Bonterra exists to propel every doer of good to their peak impact. We measure that impact against our vision to increase the giving rate as a percentage of GDP from 2% to 3% by 2033. We know that this goal is lofty, but we are confident that the right technology and expertise will strengthen trust in the sector, allowing the social good industry to accelerate growth and reach peak impact. Bonterra's differentiated, end-to-end solutions collectively support a unique network of over 20,000 customers, including over 16,000 nonprofit organizations and over 50 percent of Fortune 100 companies. Learn more at bonterratech.com.

As an Application Security Engineer at Bonterra, you will help support the security of our web applications and APIs by working closely with engineering, DevOps, and security teams. In this role, you'll focus on identifying and helping remediate application security risks, supporting secure development practices, and contributing to application security tooling and processes that enable teams to ship software safely and efficiently.

This role is well suited for an application security engineer with a few years of hands-on experience who is comfortable executing security testing activities, analyzing findings, and collaborating with development teams, while continuing to grow depth in areas such as cloud security, automation, and secure design.

This role is scoped as a mid-level Application Security Engineer position with opportunities to grow into senior application or product security roles over time.

What You'll Do

• Work with engineering teams to help integrate application security best practices into the software development lifecycle (SDLC), including secure coding guidance.
• Support secure CI/CD pipelines by collaborating with DevOps and cloud teams on existing security controls and workflows.
• Identify, assess, and help prioritize vulnerabilities in web and API-based applications, providing guidance to engineering teams on remediation.
• Perform manual web application penetration tests using established methodologies and tools.
• Assist with proof-of-concept demonstrations for select security findings to help teams understand impact and remediation.
• Perform application code reviews as needed.
• Review and triage SAST, SCA and DAST scan results.
• Track and manage application security findings, supporting remediation efforts and verification of fixes.
• Support incident response efforts related to application security issues.
• Provide guidance to engineering teams on common web application vulnerabilities such as OWASP Top 10.
• Develop and implement scripts and workflows to streamline operations and reduce manual effort.
• Automating security processes and developing methods for analyzing and responding to security findings.
• Assist with documenting secure coding standards and common remediation patterns.
• Stay current on emerging threats, vulnerabilities, and application security trends.

Requirements

• 3+ years of experience in application security, product security, or secure software development.
• Experience with manual web application penetration testing.
• Experience securing modern web applications and APIs.
• Strong understanding of web application vulnerabilities, their root causes, and common remediation approaches.
• Ability to review application source code as needed to support vulnerability triage and testing activities.
• Proficiency in at least one programming language (e.g., Java, Python, JavaScript/TypeScript, C#, or Go).
• Experience working with CI/CD pipelines and modern development workflows.
• Familiarity with security testing tools such as SAST, DAST, and SCA.
• Strong communication skills and ability to work collaboratively with engineering teams.

What sets you apart

• Exposure to threat modeling concepts and secure design practices.
• Previous software development or application design experience.
• Familiarity with cloud environments and basic AWS security concepts.
• Basic knowledge of identity and access management concepts (OAuth, OIDC, JWT)
• Exposure to PCI DSS or regulated environments.

At Bonterra, we're building AI-powered tools to solve real human challenges-and we want teammates who share that enthusiasm.We value people who will champion AI and bring diverse perspectives from different industries, backgrounds, and cultures. Together, we create AI that breaks down barriers, empowers communities, and delivers better outcomes.

At this time, we are unable to consider candidates who require current or future sponsorship for employment authorization.

____________________________________________________________________________________

At Bonterra, we're innovating with a higher purpose: to increase giving to 3% of US GDP by 2033, creating $573 billion more in global impact every year. At Bonterra, we foster an inclusive, equitable culture where every team member belongs and contributes to meaningful impact. Read more about our values and culture here.

We offer a comprehensive benefits package that supports your health, well-being and growth - explore full details here.

Compensation and benefits for this role apply to full-time employees in the United States and may vary based on local standards, laws and norms. Pay is determined by location, skills, experience, and education, and is one part of Bonterra's total rewards package, which may also include bonuses, incentives, equity, and a comprehensive benefits program.

____________________________________________________________________________________

At Bonterra, we are proud to be an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We provide equal employment opportunities without regard to race, color, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age, disability, veteran status, or any other characteristic protected by law.

If you require a reasonable accommodation during the application process, please submit a request.