An application security engineer is the person who keeps the code your business ships from becoming your next breach. They live where security meets the software development lifecycle - threat-modelling designs, reviewing code, running SAST/DAST/SCA, and coaching developers to fix the real issues without grinding delivery to a halt. Hire well and security becomes part of how your engineers build; hire someone who only files tickets and you get friction, shelf-ware scanners, and vulnerabilities that ship anyway.
What you are actually hiring for
An AppSec engineer secures the software you build - distinct from a security engineer (who secures the infrastructure it runs on) and a penetration tester (who tests it from the outside at a point in time). The core work:
- Secure SDLC and tooling: wiring SAST, DAST, SCA, and secrets scanning into CI so issues surface early, and tuning them so developers trust the output instead of ignoring it.
- Threat modelling and design review: finding the risky design decision before it ships - the highest-leverage thing an AppSec engineer does.
- Secure code review and vulnerability triage: reading real code, separating true positives from noise, and driving fixes with the teams that own them.
- Developer enablement: paved-road libraries, secure defaults, and training so the average pull request is safer by default.
Stage shapes the role: a startup wants one pragmatic generalist to stand up the whole AppSec program; a scale-up wants someone to build self-service tooling and embed with product teams; an enterprise wants a specialist in a domain (product security, a specific stack, or the secure-SDLC platform). Decide which before you write the posting.
What to budget
AppSec sits among the higher-paid security bands because it demands real software-engineering ability on top of security depth - you are competing with senior engineering roles for the same people. Below is what employers actually budget in the US (live, from disclosed-pay postings), followed by market benchmarks by country.
What to budget in the US (via AppSec roles)
$195kmedian
Typical range $145k-$225k · from 8 disclosed US postings
| Country | Salary range (market benchmark) |
|---|---|
| United States | $120k–$185k |
| Canada | C$112k–C$181k |
| United Kingdom | £52k–£83k |
| Germany | €60k–€93k |
| Australia | A$121k–A$194k |
| Singapore | S$95k–S$155k |
| Netherlands | €57k–€91k |
| Kenya | KES 2.4M–4.1M |
Market benchmark (refreshed quarterly). See the live salary report for current cuts from open jobs →
Two budgeting notes: someone who can both find vulnerabilities in code and write the tooling to prevent them is rarer and pricier than a scanner-operator, and worth it; and total compensation (equity, bonus) matters more here than in most cyber roles because strong candidates compare against software-engineering offers.
What to screen for
AppSec is skills-driven - a strong GitHub, CTF record, or bug-bounty history outweighs any credential (there is no single dominant AppSec cert). Screen for:
- Can they actually read and break code? Hand them a vulnerable snippet and watch them find the flaw and propose a real fix - not just name the OWASP category.
- Threat-modelling instinct. Give them a simple design and ask where it breaks. Strong candidates find the risky decision fast; weak ones recite a checklist.
- Developer empathy. The best AppSec engineers ship secure defaults and trusted tooling so teams move faster - the weak ones become a gate everyone routes around.
- Tooling judgement. Comfort wiring SAST/DAST/SCA into CI and tuning out the noise; the specific vendor is trainable, the judgement is not.
Green flags: shipped a security tool or library, bug-bounty or CTF history, "I cut our false-positive rate by X and devs started using it". Red flags: can name scanners but not read code, treats AppSec as ticket-filing, no empathy for shipping under deadline.
Where to find candidates
The strongest AppSec engineers usually have real software-engineering roots:
- Software engineers who moved into security - they already have the code fluency that is hardest to teach.
- Penetration testers who moved builder-side - strong on finding vulnerabilities, learning to prevent them at scale.
- Security engineers who specialised into product security, plus active bug-bounty and CTF communities where the skill is visible.
Certs (CompTIA Security+, OSCP, CISSP) are a weaker signal here than in most security roles - weight a portfolio, a CVE, or a shipped tool over any credential.
AppSec roles hiring now - who else is hiring and what they offer:
Writing the job description
Be specific - vague AppSec postings attract scanner-operators, not engineers:
- Name the stack (languages, frameworks, cloud) - AppSec depth is language-specific, so candidates self-select on it.
- Say whether it is a build role (tooling, secure-SDLC platform) or an assess role (review, threat-modelling, triage) - they attract different people.
- Publish the salary range - AppSec candidates compare against engineering offers and skip unpriced postings.
- State remote/hybrid plainly - AppSec work is remote-friendly and saying so widens the pool.
Frequently asked questions
- How much should I budget to hire an Application Security Engineer?
- In the United States, budget around $195k median for an application security engineer (estimated from AppSec roles), with a typical range of $145k-$225k from 8 disclosed live postings. Senior and staff levels run higher.
- How hard is it to hire an Application Security Engineer right now?
- Security talent is in tight supply - we currently list 67 active Application Security Engineer roles across 150+ employers, so you are competing on speed and offer. Posting on a specialist board reaches candidates already searching for security work.
- What certifications should I require for an Application Security Engineer?
- Do not over-index on certs - demonstrable hands-on skill (code, cloud, a home lab) outweighs paper, and a hard cert requirement shrinks an already-thin pool. Where certs matter (government-adjacent, enterprise, HR filters), the most-requested are CompTIA Security+, OSCP, and CISSP. Treat them as a positive signal, not a gate.
- Should I hire a remote or onsite Application Security Engineer?
- Many application security engineers expect remote or hybrid, and opening the role to remote materially widens your candidate pool. The live snapshot above shows the share of these roles currently offered remote.
- How much does it cost to post an Application Security Engineer job?
- $299 for a 30-day listing on InfoSec Job Board - flat, no subscription, Google Jobs eligible. Candidates apply directly to your ATS.