Application Security Engineer at Interactive Brokers
IndiaFull-timeTechnologyPosted 8 days ago
Apply with PipelineAbout the Role
<div class="content-intro"><p></p>
<h3>Company Overview</h3>
<p>Interactive Brokers Group, Inc. (Nasdaq: IBKR) is a global financial services company headquartered in Greenwich, CT, USA, with offices in over 15 countries. We have been at the forefront of financial innovation for over four decades, known for our cutting-edge technology and client commitment.</p>
<p>IBKR affiliates provide global electronic brokerage services around the clock on stocks, options, futures, currencies, bonds, and funds to clients in over 200 countries and territories. We serve individual investors and institutions, including financial advisors, hedge funds and introducing brokers. Our advanced technology, competitive pricing, and global market help our clients to make the most of their investments.</p>
<p>Barron's has recognized Interactive Brokers as the #1 online broker for six consecutive years. Join our dynamic, multi-national team and be a part of a company that simplifies and enhances financial opportunities using state-of-the-art technology.</p>
<p></p></div><p><strong><span data-contrast="auto">About the Role</span></strong><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto">We are looking for an Application Security Engineer who lives at the intersection of security and engineering. This is not a policy role — you will be hands-on building, tuning, and scaling the security scanning infrastructure that protects our software delivery pipeline. You will own SAST, DAST, and SCA tooling end to end, drive false positive reduction, and embed security gates directly into CI/CD workflows across engineering teams. A deep understanding of how vulnerabilities actually work — not just what scanners report — is fundamental to success in this role.</span><span data-ccp-props="{}"> <br></span><strong><span data-contrast="auto"><br>The Problem We're Solving</span></strong><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto"> We operate in a complex, regulated environment — multiple languages, layered network boundaries, and delivery velocity that cannot be sacrificed for security theater. We are building a scanning program that works in that reality. Tuned, automated, trusted — coverage that is measurable and findings that engineers actually act on. This role exists to solve that problem.</span><span data-ccp-props="{}"> </span></p>
<p><strong><span data-contrast="auto"> </span></strong><strong><span data-contrast="auto">What You'll Do</span></strong><span data-ccp-props="{}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Own and operate static, dynamic, and software composition analysis scanning platforms across all engineering pipelines — onboarding new repositories, tuning rulesets, and maintaining coverage metrics</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Build and maintain CI/CD security gates that enforce scan policies at pull request, merge, and release stages across engineering workflows</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Write custom detection rules tailored to the organization's tech stack and threat model — covering vulnerability classes specific to the languages and frameworks in use</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">Triage and prioritize scan findings with a deep understanding of actual exploitability — distinguish true positives from noise, explain the real-world impact of each finding, and build suppression workflows that reduce false positive rates without creating blind spots</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="5" data-aria-level="1"><span data-contrast="auto">Develop automation to ticket, deduplicate, and route findings to the right engineering teams with enough context for developers to understand and act on them</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="6" data-aria-level="1"><span data-contrast="auto">Integrate dynamic scanning into pre-production environments with authenticated coverage — understanding what attack surface is actually reachable versus what scanners miss</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="7" data-aria-level="1"><span data-contrast="auto">Partner with engineering teams on remediation — provide exploit context, reproduce findings where necessary, and give concrete fix guidance grounded in how the vulnerability actually works</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="8" data-aria-level="1"><span data-contrast="auto">Support software composition analysis and dependency security programs — tying third-party vulnerabilities back to actual reachability and exploitability in the codebase rather than treating every CVE as equal severity</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="9" data-aria-level="1"><span data-contrast="auto">Contribute to the security champions program — help developers understand not just what is flagged but why it matters and how an attacker would use it</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="10" data-aria-level="1"><span data-contrast="auto">Run structured evaluations of new tooling and drive buy vs build decisions with documented PoC results</span><span data-ccp-props="{}"> </span></li>
</ul>
<p><span data-contrast="auto"> </span><strong><span data-contrast="auto">What We're Looking For</span></strong><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto">These areas are the capabilities we are looking for. Strong candidates will not check every box. If you are strong in either of the below, we want to hear from you. Depth in one area with curiosity about other matters more than surface-level familiarity across all of them. </span><span data-ccp-props="{}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">5-7 years in application security, DevSecOps, or a security engineering role with tooling focus</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Strong foundational knowledge of how web application vulnerabilities work at a technical level — injection classes, broken authentication patterns, insecure deserialization, XXE, SSRF, IDOR, race conditions, and business logic flaws — not just awareness of their names</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Ability to read a scan finding and independently reason about whether it is exploitable in context — understanding data flow, trust boundaries, and what an attacker would actually need to trigger it</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">Hands-on experience deploying and tuning SAST platforms — writing or modifying rules, understanding AST-based and dataflow analysis, and knowing where static analysis fundamentally cannot reach</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="5" data-aria-level="1"><span data-contrast="auto">Experience integrating security tooling into CI/CD pipelines and enforcing policy at key delivery gates</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="6" data-aria-level="1"><span data-contrast="auto">Proficiency in at least one scripting language — Python or Go strongly preferred — for automation and tooling development</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="7" data-aria-level="1"><span data-contrast="auto">Experience with DAST tooling in authenticated scan configurations — understanding what authenticated coverage requires and how session handling, CSRF tokens, and multi-step flows affect scan fidelity</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="8" data-aria-level="1"><span data-contrast="auto">Familiarity with SCA concepts — dependency graphs, transitive vulnerabilities, license risk, reachability analysis, and SBOM formats including CycloneDX and SPDX</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="9" data-aria-level="1"><span data-contrast="auto">Ability to read and reason about code across multiple languages</span><span data-ccp-props="{}"> </span></li>
</ul>
<p><span data-contrast="auto"> </span> <strong><span data-contrast="auto">Nice to Have</span></strong><span data-ccp-props="{}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Development background — candidates who have written production code and personally addressed security vulnerabilities in a codebase bring a fundamentally different perspective to this role; they understand why developers make the choices they do, where fixes break things, and how to give remediation guidance that engineers will actually implement</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Background that spans both sides of the SDLC — having sat in a developer role before moving into security means stronger partnerships with engineering teams and more credible guidance during code review and triage conversations</span><span data-ccp-props="{}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Experience writing custom detection logic for organization-specific vulnerability patterns beyond out-of-the-box scanner coverage</span><span data-ccp-props="{}"> </span></li>
</ul>
<h4>Company Benefits & Perks: </h4>
<ul>
<li>Competitive salary package.</li>
<li>Performance based annual bonus (<em>cash and stocks</em>).</li>
<li>Hybrid working model (3<em> days office/week</em>).</li>
<li>Group Medical & Life Insurance.</li>
<li>Modern offices with free amenities & fully stocked cafeterias.</li>
<li>Monthly food card & company paid snacks.</li>
<li>Hardship/shift allowance with company provided pickup & drop facility*</li>
<li>Attractive employee referral bonus.</li>
<li>Frequent company sponsored team building events and outings.</li>
</ul>
<p>* <em>Depending upon the shifts.</em></p>
<p>**<em>The benefits package is subject to change at the management's discretion.</em></p>
<p> </p>
<p> </p>
<p> </p>
Related Roles
Security Engineer II - Red Team (BAS)
Interactive Brokers
Mumbai, IndiaSecurity Operator I
Interactive Brokers
Hyderabad, IndiaSecurity Engineer – Bug Bounty
Interactive Brokers
IndiaNetwork Security Specialist
Interactive Brokers
Mumbai, IndiaTrade Support Engineer
Interactive Brokers
Hong KongApplication Support Engineer
Interactive Brokers
Hong Kong