Senior Application Security Engineer

Senior Application Security Engineer 

Nordstrom is building a new Application Security team, built on a simple idea: teams shouldn’t have to choose between moving fast and shipping securely. As one of the first hires, you’ll build the tooling and secure defaults that protect our web, mobile, and API ecosystem, do the deep work tooling can’t, and help shape how we build with AI. You’ll report to the Senior Manager of Application Security and partner closely with product engineering and DevOps, alongside our security peers in pentest, attack surface management, and platform. 

A Day in the Life 

• Build secure-by-default patterns and paved-road tooling so teams get security built into the pipelines and frameworks they already use 

• Own the AppSec tooling stack (SAST, SCA, secrets scanning, DAST), tune it for signal over noise, and route findings into where engineers already work 

• Automate the security work that doesn’t need human judgment, and save manual review for the work that does 

• Partner with our security teams, mentor engineers and champions, and raise the application security bar across the org 

More About You 

• You’d rather build the guardrail than write the policy, and you’ve shipped tooling that changed how other engineers work 

• You go looking for the problems worth solving and own them end to end 

• You’re the security person other teams want in the room, because you explain risk clearly, respect how teams work, and help them find a fix that fits 

• You think in risk, not severity scores. You know the difference between a finding that’s exploitable in our context and one that just looks scary, and you prioritize accordingly 

Qualifications 

• 4+ years in application security, secure software development, or a closely related field, with a bachelor’s or master’s in Computer Science, Information Security, Cybersecurity, or a related field, or equivalent experience 

• A track record shipping security tooling, automation, or reusable patterns, not just operating off-the-shelf tools 

• Expert-level threat modeling, security design review, and manual code review, with deep knowledge of application and API vulnerability classes and how to design them out 

• Fluent enough to read and write code in languages like Java, Kotlin, C#, or Python 

• Hands-on fluency using AI to accelerate real security work, with judgment about where to trust it and where to verify 

• Working knowledge of how LLM and agent features fail, including prompt injection, unsafe tool and permission use, and data leakage through model outputs 

• Cloud-native, container, and serverless security (AWS, GCP, Azure, Kubernetes) 

Nice to Have 

• Hands-on with GitHub Advanced Security and JFrog Artifactory, or similar 

• Offensive security experience 

• Vulnerability disclosure or bug bounty program experience 

• Production software engineering background 

• Certifications such as CSSLP, CISSP, OSWA, OSWE, GWAPT, or GMOB