Senior Application Security Engineer - Automation
{"description": " Fitch Group is currently seeking a Senior Application Security Engineer - Automation based out of our Chicago office.
As a leading, global financial information services provider, Fitch Group delivers vital credit and risk insights, robust data, and dynamic tools to champion more efficient, transparent financial markets. With over 100 years of experience and colleagues in over 30 countries, Fitch Group's culture of credibility, independence, and transparency is embedded throughout its structure, which includes Fitch Ratings, one of the world's top three credit ratings agencies, and Fitch Solutions, a leading provider of insights, data and analytics. With dual headquarters in London and New York, Fitch Group is owned by Hearst.
Want to learn more about a career in technology and data at Fitch?
Visit: https://careers.fitch.group/content/Technology-and-Data/
We are seeking a Senior Engineer to join Fitch's Application Security program with a strong focus on CI/CD-native security, automation, AI-assisted secure coding and deployment, and secure-by-default developer workflows. This role is ideal for an experienced application security engineer who exhibits AppSec expertise-secure design and architecture, vulnerability identification and remediation-enabling security to scale through automation rather than manual intervention.
The ideal candidate will bring hands-on experience integrating security scans into modern CI/CD pipelines (e.g., GitHub Actions, Jenkins, Azure DevOps, or equivalent), building scripts and workflows that automate static, dynamic, and open-source security scanning across the delivery lifecycle, and be capable of generating, reviewing, and securing AI-assisted or generated code. This candidate will need to be able to harness and curate context for an agent that would propose fixes and features for the existing pipeline security stages, as well as to use an agent-first approach to maintaining and testing stages. They will also be comfortable performing secure code reviews to identify common vulnerabilities and will partner with development teams through practical secure-coding training, playbooks, and coaching to improve remediation quality and reduce repeat findings.
How You'll Make an Impact:
• Lead the integration of application security controls into CI/CD pipelines.
• Design, build, and maintain automated security scanning pipelines using GitHub Actions, Jenkins, Azure DevOps, or similar platforms.
• Develop scripts and pipeline logic to automate SAST, SCA, and DAST scans.
• Partner with cloud engineering, platform, and development teams to implement secure-by-default CI/CD templates.
• Improve signal quality by tuning scans and reducing false positives.
• Act as a senior technical advisor on secure coding and remediation strategies.
• Support the application vulnerability management lifecycle including remediation validation.
• Perform secure code reviews to identify vulnerabilities, validate findings, and provide actionable remediation guidance to developers.
• Develop and drive secure coding training and AppSec best practices (e.g., OWASP Top 10), including coaching teams on integrating secure-by-design patterns into day-to-day development.
• Drive developer adoption of security tooling through training, peering, and developing strong instructional documentation.
• Mentor application security engineers and contribute to internal standards.
• Collaborate with broader InfoSec teams to align AppSec outcomes with enterprise risk management.
The ideal candidate has strong hands-on experience in application security combined with practical experience working in or alongside developer and cloud engineering teams. They are comfortable writing automation, understand modern CI/CD pipelines, and can translate security requirements into scalable engineering solutions.
You May be a Good Fit if:
• Demonstrable experience personally delivering SecDevOps outcomes in an in enterprise environment.
• Strong experience integrating security tooling into CI/CD pipelines. Ability to provide context for an agent that would propose fixes and features for the existing pipeline security stages, as well as experience or proficiency to use an agent-first approach to maintaining and testing stages.
• Experience supporting application infrastructure in multi-cloud environments
• Hands-on scripting experience (Python, Bash, PowerShell, YAML) for pipeline automation.
• Experience developing controls for a Web Application Firewall (WAF) using different solutions like F5, AWS/Azure WAF, etc.
• Deep understanding of secure software development lifecycle principles.
• Experience with SAST, DAST, and SCA tools and result interpretation.
FULL TIME
senior
4/19/2026
You will be redirected to Fitch Group's application portal.