Application Security Analyst

Your opportunity

At Schwab, you’re empowered to make an impact on your career. Here, innovative thought meets creative problem solving, helping us “challenge the status quo” and transform the finance industry together.

We believe in the importance of in-office collaboration and fully intend for the selected candidate for this role to work on site in the specified location(s).  

As an entry-level Application Security Engineer, you’ll help build security into our software from design through delivery. You’ll partner with developers and product teams to identify and remediate vulnerabilities, support dynamic application security testing (DAST), and strengthen API security controls. You’ll use foundational programming knowledge in Java and .NET to understand how issues appear in code and how to fix them efficiently.

You’ll operate within Schwab’s Secure Application Development Standard and leverage our AppSec services to “shift left” and continuously improve our security posture. 

Key Responsibilities

• Perform and support DAST (e.g., running scans, triaging findings, and retesting after fixes) for web and API-based services; collaborate with engineering to prioritize and remediate issues. 
• Apply OWASP Top 10 knowledge to identify common vulnerability categories (e.g., broken access control, injection, SSRF) and advise teams on secure patterns
• Strengthen API security by participating in inventory, vulnerability triage, and testing activities aligned to our program approach.
• Partner with developers to reproduce findings, review fixes, and validate remediation—using your understanding of Java/.NET code paths, frameworks, and typical anti-patterns.
• Support “shift-left” practices by integrating AppSec tooling into build pipelines and promoting developer experience best practices (e.g., automation, workflow orchestration). 
• Document vulnerabilities, remediation steps, and residual risk; contribute to secure coding guides and internal knowledge bases.
• Monitor and follow up on open issues; help coordinate cross-team actions during security test cycles and release gating
• Maintain accurate documentation of security findings, remediation status, and communications with stakeholders.
• Contribute to continuous improvement of application security processes and tooling.

What you have

Required Qualifications

• Exposure to OWASP Top 10 concepts and practical examples (web & API). 
• Hands-on familiarity with DAST workflows and tools (running scans, reading reports, working with developers to fix). 
• API Security fundamentals (authentication/authorization, rate limiting, schema validation, common API risk scenarios, common API technologies; REST, SOAP, GraphQL). 
• Programming fundamentals in Java and .NET (e.g., HTTP request/response, input validation, authN/authZ, secure configuration).
• Understanding of SDLC and DevSecOps basics (version control, CI/CD, unit/integration testing).
• Clear written and verbal communication; ability to explain findings to non-security stakeholders.

Preferred Qualifications

• Coursework, projects, or internships involving secure coding, code review, or vulnerability remediation in Java/.NET.
• Familiarity with AppSec tooling including common DAST capabilities, BURP Suite, and development tools.
• Exposure to API security testing approaches (linting, governed specs/OpenAPI, risk profiling, and CI integration). 
• Participation in security labs or events (e.g., OWASP workshops, cyber ranges). 
• Bachelor’s Degree in a relevant field, (Computer Science, MIS, Cyber Security).
• Certifications including CEH, Security+, OSCP