Application Security Engineer
Who are we?
The Motley Fool is a purpose-driven financial services company on a mission to make the world smarter, happier, and richer. For 30 years we’ve been helping people make better investment decisions through transparency, education, and Foolish fun. We’re a fast-moving, collaborative team that values high-quality work, curiosity, and initiative. We care deeply about what we do, and we’re driven by the impact our work has on real people’s financial futures.
About the Role:
We’re seeking a mid to senior-level Application Security Engineer with strong technical instincts, a bias for action, and the ability to own complex projects end-to-end. You’ll be part of a high-impact team responsible for identifying, validating, and remediating security risks across a multi-language environment (Python, C#, PHP). This is not a checkbox role—success here means taking initiative, verifying deeply, and driving security outcomes without waiting to be told.
A growing focus of this role will be securing AI and LLM-based applications. This is an emerging and rapidly evolving area of security, and we’re looking for someone excited to help define best practices, assess novel risks, and build safeguards into how we use generative AI. You don’t need to be an expert yet—but curiosity, initiative, and a willingness to learn fast are essential.
Key Responsibilities:
Project Ownership
Own and deliver application security initiatives end-to-end.
Define clear quarterly SMART goals and drive toward their completion.
Engage stakeholders proactively and escalate blockers before they become issues.
Take full responsibility for the delivery of project ownership.
Technical Depth
Validate findings through hands-on testing; never assume without verification.
Produce detailed, technically accurate risk assessments and remediation advice.
Investigate deeply using tools like Semgrep, Feroot, Source Defense, and Noname.
Understand the context of the applications you’re securing—business logic, threat model, and operational constraints.
Stay current on insecure practices (e.g. eval, shell injection, unsafe deserialization) and ensure they’re recognized and flagged appropriately.
Active Participation and Autonomy
Speak up early when you see risk, blockers, or better ways to solve problems.
Share context, findings, and decisions proactively in meetings and documentation.
Follow through on action items; own gaps and next steps.
Operate with transparency—acknowledge unknowns and follow up with answers.
Qualifications:
3–7 years in Application Security, Penetration Testing, or Secure Software Development.
Strong background in Python or other backend languages (C#, PHP).
Experience with security testing methodologies and tools, including SAST, DAST, IAST, RASP, SCA, API Security tools (e.g., Noname, Traceable, Levo), Client-side Security tools (e.g., Feroot, Source Defense), and CNAPP.
Working familiarity with cloud-based technologies, particularly AWS (e.g., IAM, VPCs, S3, Lambda, CloudFront, Security Groups).
Deep understanding of OWASP Top 10, CWE Top 25, and secure SDLC principles.
Comfortable working directly with developers and cross-functional stakeholders.
We also welcome candidates with non-traditional security backgrounds. If you come from software development, infrastructure, or a related technical field and are passionate about building a long-term career in security, we’d love to hear from you.
Bonus Points
Contributions to open-source, bug bounty programs, or security communities.
Familiarity with compliance standards like PCI-DSS, SOC 2, or ISO 27001.
Prior experience in environments with distributed teams or high agility.
We value people who take initiative, challenge the status quo, and consistently raise the bar. If that’s how you work, you’ll thrive here.
**Please note, no sponsorship is available for this position. You must reside in, or be willing to relocate to, one of these states for employment: Alabama, California, Colorado, Florida, Louisiana, Maryland, Massachusetts, New Jersey, New York, North Carolina, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Washington DC, and Wisconsin.
Below you’ll see a few of our perks, but check out our Careers Site for the complete list:
Flexible, remote work environment (*see our open states above)
No “vacation policy” (not to be confused with a “No vacation” policy)
Generous fully-paid parental leave
$1,000 annually to invest in stocks of your choice
Super low premiums for medical, dental, and vision coverage
Comprehensive compensation package, including company equity
Compensation:
Below is our target compensation range. While we are budget conscious, we’re also eager to find the right person for this role, so if your target is outside of this range, please don’t hesitate to apply and we’d be happy to have a conversation.
Annual Pay Range
$150,000—$175,000 USD
Application Security Engineer
Who are we?
The Motley Fool is a purpose-driven financial services company on a mission to make the world smarter, happier, and richer. For 30 years we’ve been helping people make better investment decisions through transparency, education, and Foolish fun. We’re a fast-moving, collaborative team that values high-quality work, curiosity, and initiative. We care deeply about what we do, and we’re driven by the impact our work has on real people’s financial futures.
About the Role:
We’re seeking a mid to senior-level Application Security Engineer with strong technical instincts, a bias for action, and the ability to own complex projects end-to-end. You’ll be part of a high-impact team responsible for identifying, validating, and remediating security risks across a multi-language environment (Python, C#, PHP). This is not a checkbox role—success here means taking initiative, verifying deeply, and driving security outcomes without waiting to be told.
A growing focus of this role will be securing AI and LLM-based applications. This is an emerging and rapidly evolving area of security, and we’re looking for someone excited to help define best practices, assess novel risks, and build safeguards into how we use generative AI. You don’t need to be an expert yet—but curiosity, initiative, and a willingness to learn fast are essential.
Key Responsibilities:
Project Ownership
Own and deliver application security initiatives end-to-end.
Define clear quarterly SMART goals and drive toward their completion.
Engage stakeholders proactively and escalate blockers before they become issues.
Take full responsibility for the delivery of project ownership.
Technical Depth
Validate findings through hands-on testing; never assume without verification.
Produce detailed, technically accurate risk assessments and remediation advice.
Investigate deeply using tools like Semgrep, Feroot, Source Defense, and Noname.
Understand the context of the applications you’re securing—business logic, threat model, and operational constraints.
Stay current on insecure practices (e.g. eval, shell injection, unsafe deserialization) and ensure they’re recognized and flagged appropriately.
Active Participation and Autonomy
Speak up early when you see risk, blockers, or better ways to solve problems.
Share context, findings, and decisions proactively in meetings and documentation.
Follow through on action items; own gaps and next steps.
Operate with transparency—acknowledge unknowns and follow up with answers.
Qualifications:
3–7 years in Application Security, Penetration Testing, or Secure Software Development.
Strong background in Python or other backend languages (C#, PHP).
Experience with security testing methodologies and tools, including SAST, DAST, IAST, RASP, SCA, API Security tools (e.g., Noname, Traceable, Levo), Client-side Security tools (e.g., Feroot, Source Defense), and CNAPP.
Working familiarity with cloud-based technologies, particularly AWS (e.g., IAM, VPCs, S3, Lambda, CloudFront, Security Groups).
Deep understanding of OWASP Top 10, CWE Top 25, and secure SDLC principles.
Comfortable working directly with developers and cross-functional stakeholders.
We also welcome candidates with non-traditional security backgrounds. If you come from software development, infrastructure, or a related technical field and are passionate about building a long-term career in security, we’d love to hear from you.
Bonus Points
Contributions to open-source, bug bounty programs, or security communities.
Familiarity with compliance standards like PCI-DSS, SOC 2, or ISO 27001.
Prior experience in environments with distributed teams or high agility.
We value people who take initiative, challenge the status quo, and consistently raise the bar. If that’s how you work, you’ll thrive here.
**Please note, no sponsorship is available for this position. You must reside in, or be willing to relocate to, one of these states for employment: Alabama, California, Colorado, Florida, Louisiana, Maryland, Massachusetts, New Jersey, New York, North Carolina, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Washington DC, and Wisconsin.
Below you’ll see a few of our perks, but check out our Careers Site for the complete list:
Flexible, remote work environment (*see our open states above)
No “vacation policy” (not to be confused with a “No vacation” policy)
Generous fully-paid parental leave
$1,000 annually to invest in stocks of your choice
Super low premiums for medical, dental, and vision coverage
Comprehensive compensation package, including company equity
Compensation:
Below is our target compensation range. While we are budget conscious, we’re also eager to find the right person for this role, so if your target is outside of this range, please don’t hesitate to apply and we’d be happy to have a conversation.
Annual Pay Range
$150,000—$175,000 USD