Application Security Engineer

Keyloop bridges the gap between dealers, manufacturers, technology suppliers and car buyers.

We empower car dealers and manufacturers to fully embrace digital transformation. How? By creating innovative technology that makes selling cars better for our customers, and buying and owning cars better for theirs.

We use cutting-edge technology to link our clients’ systems, departments and sites. We provide an open technology platform that’s shaping the industry for the future. We use data to help clients become more efficient, increase profitability and give more customers an amazing experience. Want to be part of it?

Role Summary

The Application Security Engineer is responsible for embedding security into Keyloop’s application development lifecycle to ensure that products and services are designed, built, and operated securely. This role partners closely with engineering and product teams to identify, prioritise, and mitigate application-level risks while enabling secure, scalable delivery.

The role requires strong hands-on application security expertise, a deep understanding of modern software development practices, and the ability to influence engineering teams through collaboration and pragmatism rather than control.

Key Responsibilities:

• Secure SDLC & Engineering Enablement
• Define, implement, and continuously improve secure software development lifecycle (SSDLC) practices aligned with Keyloop’s delivery model
• Embed security requirements into application design, development, testing, and deployment activities
• Work closely with engineering teams to address security early in the development lifecycle
• Provide hands-on guidance and coaching to developers on secure coding practices and design patterns
• Application Security Testing & Tooling
• Design, operate, and improve application security testing capabilities, including:
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Software Composition Analysis (SCA)
• Interactive Application Security Testing (IAST), where applicable
• Integrate security testing tools into CI/CD pipelines and developer workflows
• Triage, validate, and prioritise findings to reduce false positives and focus on material risk
• Ensure findings are risk-ranked, actionable, and aligned to business impact
• Vulnerability Management (Application-Focused)
• Own the application vulnerability management lifecycle from discovery through remediation and verification
• Define remediation SLAs in collaboration with engineering teams based on severity, exploitability, and business context
• Track remediation progress and provide clear reporting on application security risk and trends
• Secure Architecture, Design & API Security
• Conduct application architecture and design reviews for new and existing services
• Provide guidance on authentication, authorisation, session management, cryptography, and secure data handling
• Assess and improve API security, including authentication, authorisation, rate limiting, and abuse prevention
• Support secure adoption of cloud-native, microservices, and event-driven architectures
• Threat Modelling & Risk Assessment
• Facilitate threat modelling exercises to identify abuse cases, attack paths, and design weaknesses
• Apply attacker-centric thinking using frameworks such as OWASP and MITRE ATT&CK
• Ensure identified risks are documented, prioritised, and addressed appropriately
• Incident Support & Assurance
• Provide application security expertise during security incidents and investigations
• Support root cause analysis and remediation for application-related vulnerabilities or breaches
• Contribute to post-incident reviews and preventative control improvements
• Standards, Assurance & Continuous Improvement
• Define and maintain application security standards, secure coding guidelines, and reusable security patterns
• Support compliance and assurance activities related to application security, including NIST, ISO/IEC 27001, and SOC 2 requirements
• Stay current with emerging application security threats, vulnerabilities, and best practices
• Continuously improve tooling, processes, and developer enablement based on lessons learned
  
  
  

Essential Skillsets

• 5+ years of experience in application security, secure software development, or related engineering roles
• Strong understanding of modern application architectures, including web applications, APIs, and microservices
• Hands-on experience with application security testing tools (SAST, DAST, SCA, etc.)
• Experience integrating security tooling into CI/CD pipelines
• Solid understanding of common vulnerabilities (e.g., OWASP Top 10) and secure coding practices
• Experience working in Agile and DevOps environments
  
  
  

Why join us?

We’re on a journey to become market leaders in our space – and with that comes some incredible opportunities. Collaborate and learn from industry experts from all over the globe. Work with game-changing products and services. Get the training and support you need to try new things, adapt to quick changes and explore different paths. Join Keyloop and progress your career, your way.

An inclusive environment to thrive

We’re committed to fostering an inclusive work environment. One that respects all dimensions of diversity. We promote an inclusive culture within our business, and we celebrate different employees and lifestyles – not just on key days, but every day.

Be rewarded for your efforts

We believe people should be paid based on their performance so our pay and benefits reflect this and are designed to attract the very best talent. We encourage everyone in our organisation to explore opportunities which enable them to grow their career through investment in their development but equally by working in a culture which fosters support and unbridled collaboration.

Keyloop doesn’t require academic qualifications for this position. We select based on experience and potential, not credentials.

We are also an equal opportunity employer committed to building a diverse and inclusive workforce. We value diversity and encourage candidates of all backgrounds to apply.

We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.

---