Sr Application Security Engineer

Who We Are

Through our service brands Hyundai Motor Finance, Genesis Finance, and Kia Finance, Hyundai Capital America offers a wide range of financial products tailored to meet the needs of Hyundai, Genesis, and Kia customers and dealerships. We provide vehicle financing, leasing, subscription, and insurance solutions to over 2 million consumers and businesses. Embodying our commitment to grow, innovate, and diversify, we strive to reimagine the customer and dealer experience and launch innovative new products that broaden our market reach. We believe that success comes from within and are proud to support our team members through skill development and career advancement. Hyundai Capital America is an Equal Opportunity Employer committed to creating a diverse and inclusive culture for our workforce. We are a values-driven company dedicated to supporting both internal and external communities through volunteering, philanthropy, and the empowerment of our Employee Resource Groups. Together, we strive to be the leader in financing freedom of movement.

We Take Care of Our People

Along with competitive pay, as an employee of HCA, you are eligible for the following benefits:

Medical, Dental and Vision plans that include no-cost and low-cost plan options

Immediate 401(k) matching and vesting

Vehicle purchase and lease discounts plus monthly vehicle allowances

Paid Volunteer Time Off with company donation to a charity of your choice

Tuition reimbursement

What to Expect

The Sr. Application Security Engineer will be responsible for designing, implementing, and testing security controls for financial applications, ensuring protection against threats such as data breaches, injection attacks, and unauthorized access. Reporting to the Sr. Manager, Security Engineering & Architect, this role will focus on embedding security into the software development lifecycle (SDLC), conducting vulnerability assessments, and collaborating with development teams to build secure applications. In addition, this role will collaborate with Identity and Access Management (IAM) and Data Loss Prevention (DLP) systems and ensure compliance with financial regulations (e.g., PCI DSS, GDPR, Korean SOX, FFIEC).

What You Will Do

1. Application Security Design and Implementation:

Secure Application Development: Collaborate with development teams to design and implement secure coding practices, ensuring applications (e.g., web, mobile, APIs) are built with security-by-design principles.

Security Controls: Implement and maintain application security controls, including input validation, secure session management, encryption, and secure API design, to protect financial data and transactions.

Code Review: Perform manual and automated code reviews using tools (e.g., SonarQube, Snyk, JFrog, etc.) to identify and remediate vulnerabilities such as OWASP Top 10 (e.g., SQL injection, XSS, CSRF).

Threat Modeling: Conduct threat modeling for financial applications using frameworks (e.g., STRIDE, MITRE ATT&CK) to identify and mitigate risks early in the SDLC.

2. Vulnerability Management and Testing:

Static and Dynamic Analysis: Conduct static application security testing (SAST) and dynamic application security testing (DAST) to identify vulnerabilities in application code and runtime environments.

Penetration Testing: Perform application-focused penetration testing to validate security controls and simulate real-world attacks (e.g., account takeover, data exfiltration).

Vulnerability Remediation: Work with developers to prioritize and remediate vulnerabilities, providing guidance on secure coding fixes and best practices.

Bug Bounty Programs: Support the management of bug bounty programs, triaging reported vulnerabilities and coordinating fixes with development teams.

3. Integration with IAM and DLP:

IAM Integration: Collaborate with the IAM team to implement secure authentication and authorization mechanisms (e.g., OAuth, OpenID Connect, JWT) in applications, aligning with zero-trust principles and RBAC/MFA requirements.

DLP Integration: Work with the DLP team to embed data loss prevention controls (e.g., Symantec DLP, Microsoft Purview) into applications, ensuring sensitive financial data (e.g., PII, payment card data) is protected from unauthorized access or exfiltration.

Secure API Design: Design and secure APIs used in financial applications, integrating with IAM and DLP systems to enforce access controls and data protection policies.

4. DevSecOps and Automation:

DevSecOps Integration: Embed security into CI/CD pipelines using tools (e.g., Jenkins, Bitbucket, GitHub, etc.), automating security scans, and ensuring secure deployments in financial environments.

Security Tooling: Deploy and manage application security tools (e.g., Snyk, OWASP ZAP, Burp Suite) within development workflows to enable continuous security testing.

Scripting and Automation: Develop scripts (e.g., Python, Bash, PowerShell) to automate security testing, vulnerability scanning, and compliance checks in the SDLC.

Container Security: Secure containerized applications (e.g., Docker, Kubernetes) used in financial services, implementing runtime protection and image scanning.

5. Compliance and Risk Management:

Regulatory Compliance: Ensure application security practices comply with financial regulations (e.g., PCI DSS, GDPR, Korean SOX, FFIEC, NYDFS) through secure coding, documentation, and audit-ready configurations.

Risk Assessments: Conduct application risk assessments to identify and mitigate vulnerabilities, such as insecure dependencies or misconfigured APIs.

Policy Enforcement: Enforce application security policies and standards based on industry frameworks (e.g., OWASP, NIST 800-53, ISO 27001).

Vendor Security: Assess third-party libraries, APIs, and SaaS integrations for security risks, ensuring compliance with financial security requirements.

6. Collaboration and Training:

Developer Collaboration: Partner with software engineering, DevOps, IAM, and DLP teams to integrate security into application development and deployment processes.

Security Training: Provide training and guidance to developers on secure coding practices, OWASP vulnerabilities, and financial-specific threats (e.g., fraud, data breaches).

Incident Response Support: Assist in incident response for application-related security incidents, such as data breaches or API exploits, collaborating with SOC and incident response teams.

Knowledge Sharing: Mentor junior engineers and contribute to the organization's security knowledge base with best practices and lessons learned.

7. Documentation and Reporting:

Security Documentation: Create and maintain documentation for application security designs, vulnerability reports, and remediation plans to support audits and incident response.

Reporting: Provide regular reports on application security posture, vulnerabilities, and remediation progress to the Director of Cybersecurity and other stakeholders.

Metrics: Develop and track metrics (e.g., vulnerability resolution time, secure code coverage) to measure application security effectiveness and drive continuous improvement.