Sr. Application Security Engineer

Who We Are

Through our service brands Hyundai Motor Finance, Genesis Finance, and Kia Finance, Hyundai Capital America offers a wide range of financial products tailored to meet the needs of Hyundai, Genesis, and Kia customers and dealerships. We provide vehicle financing, leasing, subscription, and insurance solutions to over 2 million consumers and businesses. Embodying our commitment to grow, innovate, and diversify, we strive to reimagine the customer and dealer experience and launch innovative new products that broaden our market reach. We believe that success comes from within and are proud to support our team members through skill development and career advancement. Hyundai Capital America is an Equal Opportunity Employer committed to creating a diverse and inclusive culture for our workforce. We are a values-driven company dedicated to supporting both internal and external communities through volunteering, philanthropy, and the empowerment of our Employee Resource Groups. Together, we strive to be the leader in financing freedom of movement.

We Take Care of Our People

Along with competitive pay, as an employee of HCA, you are eligible for the following benefits:

· Medical, Dental and Vision plans that include no-cost and low-cost plan options

· Immediate 401(k) matching and vesting

· Vehicle purchase and lease discounts plus monthly vehicle allowances

· Paid Volunteer Time Off with company donation to a charity of your choice

· Tuition reimbursement

What to Expect

The Sr. Application Security Engineer will be responsible for designing, implementing, and testing security controls for financial applications, ensuring protection against threats such as data breaches, injection attacks, and unauthorized access. Reporting to the Sr. Manager, Security Engineering & Architect, this role will focus on embedding security into the software development lifecycle (SDLC), conducting vulnerability assessments, and collaborating with development teams to build secure applications. In addition, this role will collaborate with Identity and Access Management (IAM) and Data Loss Prevention (DLP) systems and ensure compliance with financial regulations (e.g., PCI DSS, GDPR, Korean SOX, FFIEC).

What You Will Do

1. Application Security Design and Implementation:

· Secure Application Development: Collaborate with development teams to design and implement secure coding practices, ensuring applications (e.g., web, mobile, APIs) are built with security-by-design principles.

· Security Controls: Implement and maintain application security controls, including input validation, secure session management, encryption, and secure API design, to protect financial data and transactions.

· Code Review: Perform manual and automated code reviews using tools (e.g., SonarQube, Snyk, JFrog, etc.) to identify and remediate vulnerabilities such as OWASP Top 10 (e.g., SQL injection, XSS, CSRF).

· Threat Modeling: Conduct threat modeling for financial applications using frameworks (e.g., STRIDE, MITRE ATT&CK) to identify and mitigate risks early in the SDLC.

2. Vulnerability Management and Testing:

· Static and Dynamic Analysis: Conduct static application security testing (SAST) and dynamic application security testing (DAST) to identify vulnerabilities in application code and runtime environments.

· Penetration Testing: Perform application-focused penetration testing to validate security controls and simulate real-world attacks (e.g., account takeover, data exfiltration).

· Vulnerability Remediation: Work with developers to prioritize and remediate vulnerabilities, providing guidance on secure coding fixes and best practices.

· Bug Bounty Programs: Support the management of bug bounty programs, triaging reported vulnerabilities and coordinating fixes with development teams.

3. Integration with IAM and DLP:

· IAM Integration: Collaborate with the IAM team to implement secure authentication and authorization mechanisms (e.g., OAuth, OpenID Connect, JWT) in applications, aligning with zero-trust principles and RBAC/MFA requirements.

· DLP Integration: Work with the DLP team to embed data loss prevention controls (e.g., Symantec DLP, Microsoft Purview) into applications, ensuring sensitive financial data (e.g., PII, payment card data) is protected from unauthorized access or exfiltration.

· Secure API Design: Design and secure APIs used in financial applications, integrating with IAM and DLP systems to enforce access controls and data protection policies.

4. DevSecOps and Automation:

· DevSecOps Integration: Embed security into CI/CD pipelines using tools (e.g., Jenkins, Bitbucket, GitHub, etc.), automating security scans, and ensuring secure deployments in financial environments.

· Security Tooling: Deploy and manage application security tools (e.g., Snyk, OWASP ZAP, Burp Suite) within development workflows to enable continuous security testing.

· Scripting and Automation: Develop scripts (e.g., Python, Bash, PowerShell) to automate security testing, vulnerability scanning, and compliance checks in the SDLC.

· Container Security: Secure containerized applications (e.g., Docker, Kubernetes) used in financial services, implementing runtime protection and image scanning.

5. Compliance and Risk Management:

· Regulatory Compliance: Ensure application security practices comply with financial regulations (e.g., PCI DSS, GDPR, Korean SOX, FFIEC, NYDFS) through secure coding, documentation, and audit-ready configurations.

· Risk Assessments: Conduct application risk assessments to identify and mitigate vulnerabilities, such as insecure dependencies or misconfigured APIs.

· Policy Enforcement: Enforce application security policies and standards based on industry frameworks (e.g., OWASP, NIST 800-53, ISO 27001).

· Vendor Security: Assess third-party libraries, APIs, and SaaS integrations for security risks, ensuring compliance with financial security requirements.

6. Collaboration and Training:

· Developer Collaboration: Partner with software engineering, DevOps, IAM, and DLP teams to integrate security into application development and deployment processes.

· Security Training: Provide training and guidance to developers on secure coding practices, OWASP vulnerabilities, and financial-specific threats (e.g., fraud, data breaches).

· Incident Response Support: Assist in incident response for application-related security incidents, such as data breaches or API exploits, collaborating with SOC and incident response teams.

· Knowledge Sharing: Mentor junior engineers and contribute to the organization’s security knowledge base with best practices and lessons learned.

7. Documentation and Reporting:

· Security Documentation: Create and maintain documentation for application security designs, vulnerability reports, and remediation plans to support audits and incident response.

· Reporting: Provide regular reports on application security posture, vulnerabilities, and remediation progress to the Director of Cybersecurity and other stakeholders.

· Metrics: Develop and track metrics (e.g., vulnerability resolution time, secure code coverage) to measure application security effectiveness and drive continuous improvement.

What You Will Bring

· Minimum 8 years progressive experience in cybersecurity with proven knowledge on application security engineering or secure software development.

· 2+ years of experience in financial services, with a strong understanding of financial application threats (e.g., fraud, API attacks) and regulations (e.g., PCI DSS, Korean SOX, GDPR).

· Hands-on experience securing web, mobile, and API-based applications in regulated environments.

· Proven track record of integrating application security with IAM (e.g., SailPoint, OAuth) and DLP (e.g., Symantec DLP, Microsoft Purview) systems.

· Bachelor’s degree in Computer Science, Cybersecurity, Software Engineering, or a related field.

· Master’s degree preferred.

· At least one of the following: CISSP, CSSLP, CEH, OSCP, or equivalent. Application security certifications (e.g., GWAPT, GWEB) a plus.

Technical Skills:

· Technical expert with deep experience in application security, financial services, and DevSecOps practices.

· Expertise in application security tools (e.g., SonarQube, JFrog, Snyk, Checkmarx, Fortify, OWASP ZAP, Burp Suite) for SAST, DAST, and penetration testing.

· Proficiency in secure coding practices and frameworks (e.g., OWASP Top 10, Secure SDLC).

· Strong knowledge of IAM protocols (e.g., OAuth, OpenID Connect, SAML) and DLP integration for data protection.

· Experience with CI/CD pipelines (e.g., Bitbucket, Jenkins, GitLab, Jira) and DevSecOps practices.

· Knowledge of security frameworks such as NIST, ISO 27001, and COBIT.

· Familiarity with cloud platforms (e.g., AWS, Azure, Google Cloud, Oracle Cloud) and container security (e.g., Docker, Kubernetes).

· Proficiency in scripting (e.g., Python, Bash, PowerShell) for automation and security testing.

· Knowledge of financial applications (e.g., core banking, payment gateways) and their security requirements.

Soft Skills:

· Strong problem-solving skills to address complex architectural challenges.

· Excellent communication skills to articulate technical concepts to technical and non-technical stakeholders.

· Detail-oriented with the ability to prioritize and manage multiple security tasks.

Preferred

· Experience with AI-driven application security tools or threat detection systems.

· Familiarity with zero-trust architecture and secure API design for financial services.

· Knowledge of financial fraud prevention techniques (e.g., anti-money laundering, transaction monitoring).

· Experience working with MSSPs for application security support.

· Understanding of emerging trends, such as serverless security or secure microservices

Work Environment

Employees in this class are subject to extended periods of sitting, standing and walking, vision to monitor and moderate noise levels. Work is performed in an office environment.

The posted salary range for this job takes into account the wide range of factors that are considered in making compensation decisions including but not limited to skill sets; experience and training; licensure and certifications; geographic location, and other business and organizational needs. Successful candidates may be hired anywhere in the salary range based on these factors. It is uncommon to hire candidates at or near the top of the range.

California Privacy Notice

This notice only applies to our applicants who reside in the State of California.

The latest version of our Privacy Policy can be found here. This Privacy Policy provides you with notice, at or before the point of collection, about the categories of personal information to be collected from you, the purposes for which your personal information is collected or used, and whether that information is sold or shared, so that you can exercise meaningful control over our use of your personal information. We are providing this notice to comply with the California Consumer Privacy Act of 2018, as amended as amended by the California Privacy Rights Act of 2020 (“CCPA”).

If you have any questions about CCPA regarding California residents or HCA team members, please contact the Privacy Team at .

Schedule: Full-time