Contract: Application Security Engineer

<p>Upwork ($UPWK) is the world’s work marketplace. We serve everyone from one-person startups to over 30% of the Fortune 100 with a powerful, trust-driven platform that enables companies and talent to work together in new ways that unlock their potential.&nbsp;&nbsp;</p> <p>Last year, more than $3.8 billion of work was done through Upwork by skilled professionals who are gaining more control by finding work they are passionate about and innovating their careers.&nbsp;&nbsp;</p> <p>This is an engagement through Upwork’s Hybrid Workforce Solutions (HWS) Team. Our Hybrid Workforce Solutions Team is a global group of professionals that support Upwork’s business. Our HWS team members are located all over the world.</p> <hr> <p>We are looking for an experienced Application Security Analyst to help identify, analyze, and reduce application-layer security risk across our environment. This role is heavily focused on triage, validation, and prioritization of findings from automated security tools and external researchers, rather than tool administration or application architecture ownership.</p> <p>You will work closely with engineering, vulnerability management, and security operations teams to ensure findings are accurate, actionable, and addressed in a risk-informed way.</p> <p>This is a hands-on role suited for someone who already understands application security fundamentals and wants to deepen their impact without moving into a senior or architect-level position.</p> <p><strong><em>&nbsp;Vulnerability Analysis &amp; Triage</em></strong></p> <ul> <li>Analyze and validate findings from SAST, DAST, and SCA tools, including:</li> <ul> <li>SonarQube</li> <li>VeraCode (SourceClear)</li> <li>NetSparker (Invicti)</li> <li>Chariot (by Praetorian)</li> <li>Other common commercial and open-source scanning tools</li> </ul> </ul> <ul> <li>Distinguish true positives from false positives and provide clear, developer-friendly explanations of confirmed issues.</li> <li>Assess vulnerability severity and exploitability in real-world application contexts.</li> </ul> <p><strong><em>Bug Bounty &amp; External Findings</em></strong></p> <ul> <li>Triage and validate submissions from the bug bounty program.</li> <li>Reproduce reported issues and provide technical validation using tools such as BurpSuite.</li> <li>Collaborate with internal teams to track remediation and confirm fixes.</li> </ul> <p><strong><em>Developer Collaboration</em></strong></p> <ul> <li>Work directly with application and platform engineers to: <ul> <li>Explain findings and root causes.</li> <li>Provide remediation guidance and secure coding recommendations.</li> <li>Help improve signal-to-noise ratio in security findings by refining workflows and feedback loops.</li> </ul> </li> </ul> <p><strong><em>Process &amp; Continuous Improvement</em></strong></p> <ul> <li>Leveraging AI and automation to remove repeatable processes.&nbsp;</li> <li>Contribute to improving vulnerability triage processes and documentation.</li> <li>Identify recurring vulnerability patterns and recommend preventive controls.</li> <li>Support reporting and metrics related to application security risk.</li> </ul> <h3><strong>Must-Haves (Required Skills):</strong></h3> <ul> <li>3–6 years of experience in application security, product security, or vulnerability management.</li> <li>Strong hands-on experience reviewing and interpreting scan results from SAST, DAST, and SCA tools.</li> <li>Practical understanding of common application vulnerabilities, including: <ul> <li>OWASP Top 10.</li> <li>Injection flaws, authentication issues, access control problems (incl. IDOR), insecure dependencies.</li> </ul> </li> <li>Ability to read and reason about application code (e.g., Java, JavaScript, Python, Go, etc.) for the purpose of vulnerability analysis.</li> <li>Experience working with or triaging findings from a bug bounty or responsible disclosure program.</li> <li>Strong written and verbal communication skills, especially when translating security findings for developers.</li> <li>Familiarity with CI/CD security integrations.</li> <li>Experience with cloud-native or SaaS application environments.</li> <li>Understanding of API security testing and findings.</li> <li>Exposure to threat modeling or secure design reviews.</li> <li>Experience working in a DevSecOps or product security team.</li> </ul> <hr> <p>Upwork is proudly committed to fostering a diverse and inclusive workforce. We never discriminate based on race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical condition), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics.</p><div class="content-conclusion"><p><span style="font-weight: 400;">Please note that a criminal background check may be required once a conditional job offer is made. Qualified applicants with arrest or conviction records will be considered in accordance with applicable law, including the California Fair Chance Act and local Fair Chance ordinances.&nbsp;The Company is committed to conducting an individualized assessment and giving all individuals a fair opportunity to provide relevant information or context before making any final employment decision.</span></p> <p><span style="font-weight: 400;">To learn more about how Upwork processes and protects your personal information as part of the application process, please review our <a href="http://upwork.com/careers/job-applicant-privacy-notice" target="_blank">Global Job Applicant Privacy Notice</a></span></p></div>