Application Security Engineer

Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Application Security Engineer (CERG-GOV-OM-001 §6.1)

1. Role Summary

The Application Security Engineer owns application security: the tools, rulesets, and practices that find and fix vulnerabilities before code reaches production. They govern SAST, DAST, SCA, and container scanning, set secure development gates, lead threat modeling for applications, and ensure the security of in-house and embedded AI systems. They are accountable for the Secure Software Development and Artificial Intelligence Security standards.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Govern application security testing tooling: SAST, DAST, SCA, container scanning, and API security testing - Define and enforce secure development gates in CI/CD pipelines - Lead threat modeling for in-house applications per the Threat Modeling Procedure - Review application architectures for security adequacy during the architecture review process - Own the security assessment of in-house AI systems, including prompt injection, data leakage, excessive agency, and model supply chain risks - Maintain the Secure Software Development and Application Security Standard and the Artificial Intelligence Security Standard - Triage and prioritize application security findings, working with development teams on remediation - Develop and deliver secure coding guidance and training materials for development teams - Support incident response for application-level compromises: injection attacks, authentication bypass, data exfiltration via application vulnerabilities

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Deep expertise in application security testing: SAST, DAST, SCA, IAST, RASP - Secure coding practices across multiple languages and frameworks - Threat modeling methodologies (STRIDE, PASTA, attack trees) - OWASP Top 10, OWASP ASVS, and OWASP API Security Top 10 - CI/CD pipeline security and DevSecOps practices - AI/ML security: OWASP Top 10 for LLM Applications, model supply chain risks, prompt injection defenses - Web application architecture: microservices, APIs, SPAs, serverless

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [DD-WRL-005 — Application Security Engineer primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (SP-DEV-001 → DD-WRL-005) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• 3-12+ years in application security or secure software development - Bachelor’s degree in computer science or equivalent development experience - Relevant certifications: GWEB, CSSLP, OSWE, or equivalent - Development experience in at least one modern language/framework preferred

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

Competency expectations for this role follow the Engineering pillar behavioral anchors from CERG-GOV-CMP-001. Each cell describes observable behavior demonstrating the competency at that grade. Anchors are cumulative: an L3 expectation includes the L1 and L2 anchors.

Full Reference: See CERG-GOV-CMP-001 for the complete competency model, including the Management Track addendum (§7) and guidance on using the model for hiring, development, and promotion (§8).

10. Success Profile

An Application Security Engineer is successful when security is a natural, frictionless part of the software development lifecycle. Key indicators: SAST/DAST/SCA tools are integrated into CI/CD pipelines with low false-positive rates; findings from security reviews are fixed before deployment, not tracked as technical debt; developers seek security input early in the design phase; the mean time to remediate a critical application vulnerability is measured in hours, not days. The engineer makes it easier to build securely than to cut corners.

11. Career Path

11.1 Within-Family Progression

Within JF-SECENG, progression follows the Security Engineering level ladder in JF-001 §9.1: L1 Associate Engineer/S1, L2 Engineer/S2, L3 Senior or Staff Engineer/S3, and L4 Principal Engineer/S4. Promotion evidence should show increasing autonomy in secure design and implementation, ownership of engineering work streams, authorship or improvement of standards and reference architectures, cross-pillar influence, and mentoring of less experienced engineers. The grade definitions and progression dimensions are maintained in JA-001 §4.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

At L3+ (SME track), a Management track option may be available per CERG-GOV-JA-001 §8.1 (SME to Management Transition). Readiness indicators include: consistently sought out for guidance by junior team members, leading cross-functional initiatives without formal authority, and communicating clearly with non-technical stakeholders. The transition is a track change, not a grade promotion — an S3 Advisor moving to M1 Manager carries their technical credibility into the management role. Management competencies are defined in CERG-GOV-CMP-001 §7. See CERG-GOV-JA-001 §5 for Management grade definitions (M1-M4) and §9 (Span of Control and Team Design) for when to create a management role.

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-seceng/CERG-GOV-JD-SECENG-004_Application_Security_Engineer.md · Download .md · View on GitHub