IS Consultant IV, Application Security

.NET, Advance English B2+/C1, Application Security, Consultant, Hybrid, Java, Python
Costa Rica
September 26, 2025
Full Time
Urgent

Apply for this job

Email *
Full Name *
CV Attachment *
Browse

Upload file .pdf, .doc, .docx

Job Description

In addition to responsibilities listed below, this position is responsible for reviewing application source code for potential security vulnerabilities by performing manual and automated security testing on applications in a running state (DAST); working with DevOps teams to integrate application security services; training DevOps personnel and developers to use application security tools; working one-on-one with developers to help them understand security vulnerabilities at hand and to identify/suggest remediation plans; and recommending application security training paths. This also includes responsibility for protecting applications in production by enrolling them for continuous assessment of existing and emerging threats, evaluating web application firewalls; tuning WAF rules; reviewing alerts; and identifying issues as appropriate.

The Application Security Consultant is a senior-level role responsible for driving secure software development practices across the technology landscape. This position supports critical application security functions including secure code reviews, static and dynamic application security testing, open-source component analysis, mobile app security assessments, and vulnerability remediation support. The consultant collaborates with developers, product owners, vendors, and internal security stakeholders to identify and address risks early in the Software Development Life Cycle (SDLC), while ensuring adherence to secure coding and architectural standards.

Ideal candidates will have advanced programming skills in languages such as Java, Python, Swift, or similar, enabling deep code-level security assessments and guidance on remediation aligned with secure development practices. They should have hands-on experience with application security tools such as SAST, DAST, OSCA, and mobile security solutions (e.g., Checkmarx, Black Duck, NowSecure, Burp Suite, Sonatype, or similar), though familiarity with all listed tools is not required. Candidates should also bring experience conducting threat modeling, leading security architecture reviews, and working with vendors on third-party application assessments. Strong capability to define and present secure development standards to diverse technical teams, and to influence architecture and engineering decisions, is essential. This role also requires excellent cross-functional communication skills, with the ability to clearly articulate risk and security recommendations to application teams, vendors, and executive stakeholders. This role is critical to enhancing our security posture, reducing vulnerability exposure, and enabling secure DevSecOps integration across the organization.

Essential Responsibilities

  • Completes work assignments and supports business-specific projects by applying expertise in subject area; supporting the development of work plans to meet business priorities and deadlines; ensuring team follows all procedures and policies; coordinating and assigning resources to accomplish priorities and deadlines; collaborating cross-functionally to make effective business decisions; solving complex problems; escalating high priority issues or risks, as appropriate; and recognizing and capitalizing on improvement opportunities.
  • Practices self-development and promotes learning in others by proactively providing information, resources, advice, and expertise with coworkers and customers; building relationships with cross-functional stakeholders; influencing others through technical explanations and examples; adapting to competing demands and new responsibilities; listening and responding to, seeking, and addressing performance feedback; providing feedback to others and managers; creating and executing plans to capitalize on strengths and develop weaknesses; supporting team collaboration; and adapting to and learning from change, difficulties, and feedback.
  • Effectively communicates investigative findings to non-technical audiences. Collaborates with technology risk teams and business stakeholders to respond to and remediate identified issues, and determine the best approach for improving security posture.
  • Provides recommendations to management and business stakeholders on how to remediate issues identified through security testing processes.
  • Identifies the impact of security test plans on upstream and downstream solution components.
  • Supports information sharing and integration procedures across cyber security through the exchange of threat intelligence and cyber security vulnerability assessment data.
  • Contributes to cyber security intellectual capital by making process or procedure improvements, conducting “”brown bag”” training sessions, and creating new training documents.
  • Follows established processes to ensure KPI goals are obtained and performance metrics are tracked on an ongoing basis.
  • Recommends business line or business technology team security process improvements which align with sustainable best practices, and the strategic and tactical goals of the business.
  • Supports continuous process improvement by participating in the development, implementation, and maintenance of standardized security tools, templates, and processes across multiple business domains.
  • Performs complex security test data analysis in support of security vulnerability assessment processes, including root cause analysis.
  • Serves as an escalation point on issues, dependencies, and risks related to security testing.
  • Executes the vulnerability assessment and penetration testing plan, methodologies, and standard processes for moderately to highly complex technology initiatives across multiple IT domains by analyzing business and technology requirements.
  • Researches and stays abreast of industry trends, emerging threats, best practices, and cutting-edge techniques to creatively discover and exploit vulnerabilities and recommend security solutions for technology systems.
  • Provides insight and consultation on the development of testing scope and approach and collaborates with cross functional IT and business stakeholders to review the overall testing approach.
  • Validates security test scenarios across various SDLC phases (e.g., development, reproduction, production) for low- to moderately complex projects.
  • Generates scheduled reports (e.g., status updates, risk assessment)
  • Lead secure code reviews across multiple programming languages including Java, Python, Swift, JavaScript, or similar to identify vulnerabilities and enforce secure coding practices.
  • Integrate and scale application security tools (e.g., SAST, DAST, OSCA, mobile security solutions) within complex DevSecOps pipelines to support automation, enforce security policies, and maintain governance.
  • Define, document, and socialize secure development standards across diverse technical teams, influencing architecture and engineering decisions to align with security best practices.
  • Collaborate with development teams, product owners, vendors, and executive stakeholders to triage security findings, guide remediation efforts, and communicate risk effectively.
  • Participate in threat modeling, architecture reviews, and risk assessments for new and existing applications to proactively identify and mitigate security risks.
  • Maintain and enhance secure SDLC practices by contributing to the development of security standards, guardrails, and developer enablement initiatives.
  • Provide security guidance during design and implementation phases, ensuring alignment with organizational security policies, compliance requirements, and industry best practices.
  • Maintain assessment documentation, including procedures, findings, and remediation tracking, in alignment with governance and audit readiness requirements.
  • Drive vendor application security assessments, including reviewing third-party security reports and documentation to evaluate the vendor’s security posture. Provide recommendations to determine whether the vendor meets security standards prior to procurement or integration.                                    

Minimum Qualifications

  • Minimum three (3) years of hands-on experience in software or application development using languages such as Java, Python, Swift, or .NET.
  • Minimum two (2) years of hands-on experience with penetration testing tools (e.g., Burp Suite, OWASP ZAP, Nmap, Metasploit) and at least one (1) year of experience in application security practices such as SAST, DAST, OSCA, API Security or mobile application security.
  • Bachelor’s degree in Computer Science, Cyber Security, Mathematics, or related field and minimum six (6) year’s experience in IT or a related field, including minimum two (2) years in information security, network engineering, or application development. Additional equivalent work experience may be substituted for the degree requirement.
  • Strong collaboration and communication skills to work effectively with cross-functional teams including developers, architects, vendors and product owners

Preferred Qualifications

  • Practical experience in threat modeling and secure architecture design reviews.
  • Exposure to healthcare regulatory standards such as HIPAA or HITRUST is a plus
  • Two (2) year experience in security penetration testing or related security research.
  • Two (2) year experience using SQL or similar query language.
  • Hands-on experience with CI/CD pipelines, including automation of application deployment workflows and embedding application security controls through integration of security testing tools in DevSecOps environments.
  • Two (2) year experience integrating third-party source code or libraries.
  • Two (2) year experience applying Agile development practices.
  • Two (2) year experience working with web services.
  • Two (2) year work experience requiring the development of technical documents or presentations.
  • Three (3) years experience with J2EE, Java Stack, and/or .NET development technologies.
  • Working knowledge of database performance optimization, disaster recovery (DR) strategies, data resiliency principles, or maintaining JIRA operations.

One or more of the following certifications strongly preferred:

  • CISSP (Certified Information Systems Security Professional)
  • OSCP / OSCP+ (Offensive Security Certified Professional)
  • CSSLP (Certified Secure Software Lifecycle Professional)
  • GIAC certifications (e.g., GWAPT, GWEB, GSSP-Java/.NET)
  • Security+ or equivalent foundational certification

Benefits

  • Transportation.
  • Life insurance.
  • Medical insurance.
  • Solidarity association.
  • Growth plans.
  • Additional days off  

K4           

Related Jobs