Application Security Developer

Position Overview

Our team of security experts helps Autodesk design, build, deploy, and maintain secure products. We embed security across the full software development lifecycle—from inception and design to development, testing, and cloud operations—while proactively addressing emerging threats.

Our mission is to stay ahead of adversaries and protect our customers’ data and investments by strengthening applications, services, and infrastructure. As an Application Security Developer (DAST & API Security), you will help secure Autodesk’s web applications and APIs by identifying and validating vulnerabilities in real-world execution environments. You will partner with product and engineering teams to perform dynamic testing, triage findings, and support remediation, while helping integrate security testing into CI/CD pipelines.

This is a mid-level, hands-on role focused on execution and collaboration, with opportunities to grow your expertise across modern architectures (microservices, SPAs, and API-driven systems) at scale.

Responsibilities  

• Perform dynamic application security testing (DAST) against web applications and APIs to identify runtime vulnerabilities, including authentication, authorization, and business logic flaws 

• Conduct API security assessments (REST, GraphQL, gRPC), validating authentication flows, authorization models, rate limiting, and data exposure risks

• Execute and support web application security testing, including manual testing and automated scanning aligned with OWASP Top 10 and API Top 10

• Analyze and triage findings from DAST tools and scanners, tuning configurations to improve signal quality and reduce false positives 

• Partner with engineering teams to remediate vulnerabilities, providing clear, actionable guidance on fixes and secure design patterns

• Integrate DAST and API security testing into CI/CD pipelines, enabling continuous and automated security validation

• Collaborate with teams to implement and optimize security controls such as WAFs, API gateways, and runtime protections

• Contribute to security testing strategies, including automation, tooling selection, and coverage improvements across services  

• Provide developer education and guidance on web and API security risks, exploitation techniques, and remediation best practices

• Track, prioritize, and report on security findings and trends to improve overall application and API security posture

Minimum Qualifications

• 3–5 years of experience in application security, penetration testing, or a related field

• Hands-on experience with DAST tools (e.g., Burp Suite, OWASP ZAP, Netsparker, Acunetix), combined with the ability to manually validate findings

• Strong understanding of web application security (OWASP Top 10) and API security risks (OWASP API Top 10)

• Experience testing modern architectures (microservices, SPAs, API-driven systems)

• Practical knowledge of authentication and authorization mechanisms (OAuth, OIDC, JWT, session management)

• Familiarity with API protocols and formats (REST, GraphQL, JSON, XML, gRPC)

• Experience supporting security testing within CI/CD pipelines or DevSecOps workflows

• Ability to identify and exploit common vulnerabilities such as injection, XSS, CSRF, and broken access control

• Working knowledge of HTTP/S and web protocols

• Proficiency in scripting or programming (e.g., Python, JavaScript, or Go)

• Strong analytical and problem-solving skills with the ability to triage and prioritize vulnerabilities

• Effective communication skills to explain risks and remediation steps to engineering teams

Preferred Qualifications

• Experience performing manual penetration testing of web applications and APIs

• Familiarity with advanced DAST techniques (e.g., fuzzing, parameter discovery)

• Knowledge of runtime security controls such as WAFs, RASP, or API security platforms

• Experience with cloud environments (AWS, Azure, GCP) and securing cloud-native applications

• Familiarity with security testing automation frameworks

• Experience with bug bounty programs or vulnerability disclosure processes

• Contributions to security standards, playbooks, or developer training