Application Security Engineer

Who are we?

The Motley Fool is a purpose-driven financial services company on a mission to make the world smarter, happier, and richer. For 30 years, we’ve been helping people make better investment decisions through transparency, education, and Foolish fun. We’re a fast-moving, collaborative team that values high-quality work, curiosity, and initiative. We care deeply about what we do, and we’re driven by the impact our work has on real people’s financial futures.

About the Role

We’re seeking a mid to senior-level Application Security Engineer with strong technical instincts, a bias for action, and the ability to own complex projects end-to-end. You’ll be part of a high-impact team responsible for identifying, validating, and remediating security risks across a multi-language environment (Python, C#, PHP). This is not a checkbox role—success here means taking initiative, verifying deeply, and driving security outcomes without waiting to be told.

A growing focus of this role will be securing AI and LLM-based applications. This is an emerging and rapidly evolving area of security, and we’re looking for someone excited to help define best practices, assess novel risks, and build safeguards into how we use generative AI. You don’t need to be an expert yet—but curiosity, initiative, and a willingness to learn fast are essential.

Key Responsibilities

Project Ownership

• Own and deliver application security initiatives end-to-end.
• Define clear quarterly SMART goals and drive toward their completion.
• Engage stakeholders proactively and escalate blockers before they become issues.
• Take full responsibility for the delivery of project ownership.

Technical Depth

• Validate findings through hands-on testing; never assume without verification.
• Produce detailed, technically accurate risk assessments and remediation advice.
• Investigate deeply using tools like Semgrep, Feroot, Source Defense, and Noname.
• Understand the context of the applications you’re securing—business logic, threat model, and operational constraints.
• Stay current on insecure practices (e.g., eval, shell injection, unsafe deserialization) and ensure they’re recognized and flagged appropriately.

Active Participation and Autonomy

• Speak up early when you see risk, blockers, or better ways to solve problems.
• Share context, findings, and decisions proactively in meetings and documentation.
• Follow through on action items; own gaps and next steps.
• Operate with transparency—acknowledge unknowns and follow up with answers.

Qualifications

• Experience: 3–7 years in Application Security, Penetration Testing, or Secure Software Development.
• Technical Skills:
  • Strong background in Python or other backend languages (C#, PHP).
  • Experience with security testing methodologies and tools, including SAST, DAST, IAST, RASP, SCA, API Security tools (e.g., Noname, Traceable, Levo), Client-side Security tools (e.g., Feroot, Source Defense), and CNAPP.
  • Working familiarity with cloud-based technologies, particularly AWS (e.g., IAM, VPCs, S3, Lambda, CloudFront, Security Groups).
  • Deep understanding of OWASP Top 10, CWE Top 25, and secure SDLC principles.
  • Comfortable working directly with developers and cross-functional stakeholders.
• Non-Traditional Backgrounds Welcome: We also welcome candidates with non-traditional security backgrounds. If you come from software development, infrastructure, or a related technical field and are passionate about building a long-term career in security, we’d love to hear from you.

Bonus Points

• Contributions to open-source, bug bounty programs, or security communities.
• Familiarity with compliance standards like PCI-DSS, SOC 2, or ISO 27001.
• Prior experience in environments with distributed teams or high agility.

We value people who take initiative, challenge the status quo, and consistently raise the bar. If that’s how you work, you’ll thrive here.

Please note, no sponsorship is available for this position. You must reside in, or be willing to relocate.