Application Security Engineer

Interactive Brokers Group, Inc. (Nasdaq: IBKR) is a global financial services company headquartered in Greenwich, CT, USA, with offices in over 15 countries. We have been at the forefront of financial innovation for over four decades, known for our cutting-edge technology and client commitment.

IBKR affiliates provide global electronic brokerage services around the clock on stocks, options, futures, currencies, bonds, and funds to clients in over 200 countries and territories. We serve individual investors and institutions, including financial advisors, hedge funds and introducing brokers. Our advanced technology, competitive pricing, and global market help our clients to make the most of their investments.

Barron's has recognized Interactive Brokers as the #1 online broker for six consecutive years. Join our dynamic, multi-national team and be a part of a company that simplifies and enhances financial opportunities using state-of-the-art technology.

About the Role 

We are looking for an Application Security Engineer who lives at the intersection of security and engineering. This is not a policy role — you will be hands-on building, tuning, and scaling the security scanning infrastructure that protects our software delivery pipeline. You will own SAST, DAST, and SCA tooling end to end, drive false positive reduction, and embed security gates directly into CI/CD workflows across engineering teams. A deep understanding of how vulnerabilities actually work — not just what scanners report — is fundamental to success in this role. 

The Problem We're Solving 

 We operate in a complex, regulated environment — multiple languages, layered network boundaries, and delivery velocity that cannot be sacrificed for security theater. We are building a scanning program that works in that reality. Tuned, automated, trusted — coverage that is measurable and findings that engineers actually act on. This role exists to solve that problem. 

 What You'll Do 

• Own and operate static, dynamic, and software composition analysis scanning platforms across all engineering pipelines — onboarding new repositories, tuning rulesets, and maintaining coverage metrics 

• Build and maintain CI/CD security gates that enforce scan policies at pull request, merge, and release stages across engineering workflows 

• Write custom detection rules tailored to the organization's tech stack and threat model — covering vulnerability classes specific to the languages and frameworks in use 

• Triage and prioritize scan findings with a deep understanding of actual exploitability — distinguish true positives from noise, explain the real-world impact of each finding, and build suppression workflows that reduce false positive rates without creating blind spots 

• Develop automation to ticket, deduplicate, and route findings to the right engineering teams with enough context for developers to understand and act on them 

• Integrate dynamic scanning into pre-production environments with authenticated coverage — understanding what attack surface is actually reachable versus what scanners miss 

• Partner with engineering teams on remediation — provide exploit context, reproduce findings where necessary, and give concrete fix guidance grounded in how the vulnerability actually works 

• Support software composition analysis and dependency security programs — tying third-party vulnerabilities back to actual reachability and exploitability in the codebase rather than treating every CVE as equal severity 

• Contribute to the security champions program — help developers understand not just what is flagged but why it matters and how an attacker would use it 

• Run structured evaluations of new tooling and drive buy vs build decisions with documented PoC results 

 What We're Looking For 

These areas are the capabilities we are looking for. Strong candidates will not check every box. If you are strong in either of the below, we want to hear from you. Depth in one area with curiosity about other matters more than surface-level familiarity across all of them.  

• 5-7 years in application security, DevSecOps, or a security engineering role with tooling focus 

• Strong foundational knowledge of how web application vulnerabilities work at a technical level — injection classes, broken authentication patterns, insecure deserialization, XXE, SSRF, IDOR, race conditions, and business logic flaws — not just awareness of their names 

• Ability to read a scan finding and independently reason about whether it is exploitable in context — understanding data flow, trust boundaries, and what an attacker would actually need to trigger it 

• Hands-on experience deploying and tuning SAST platforms — writing or modifying rules, understanding AST-based and dataflow analysis, and knowing where static analysis fundamentally cannot reach 

• Experience integrating security tooling into CI/CD pipelines and enforcing policy at key delivery gates 

• Proficiency in at least one scripting language — Python or Go strongly preferred — for automation and tooling development 

• Experience with DAST tooling in authenticated scan configurations — understanding what authenticated coverage requires and how session handling, CSRF tokens, and multi-step flows affect scan fidelity 

• Familiarity with SCA concepts — dependency graphs, transitive vulnerabilities, license risk, reachability analysis, and SBOM formats including CycloneDX and SPDX 

• Ability to read and reason about code across multiple languages 

  Nice to Have 

• Development background — candidates who have written production code and personally addressed security vulnerabilities in a codebase bring a fundamentally different perspective to this role; they understand why developers make the choices they do, where fixes break things, and how to give remediation guidance that engineers will actually implement 

• Background that spans both sides of the SDLC — having sat in a developer role before moving into security means stronger partnerships with engineering teams and more credible guidance during code review and triage conversations 

• Experience writing custom detection logic for organization-specific vulnerability patterns beyond out-of-the-box scanner coverage