Contract: Application Security Engineer

Upwork ($UPWK) is the world’s work marketplace. We serve everyone from one-person startups to over 30% of the Fortune 100 with a powerful, trust-driven platform that enables companies and talent to work together in new ways that unlock their potential.

Last year, more than $3.8 billion of work was done through Upwork by skilled professionals who are gaining more control by finding work they are passionate about and innovating their careers.

This is an engagement through Upwork’s Hybrid Workforce Solutions (HWS) Team. Our Hybrid Workforce Solutions Team is a global group of professionals that support Upwork’s business. Our HWS team members are located all over the world.

We are looking for an experienced Application Security Analyst to help identify, analyze, and reduce application-layer security risk across our environment. This role is heavily focused on triage, validation, and prioritization of findings from automated security tools and external researchers, rather than tool administration or application architecture ownership.

You will work closely with engineering, vulnerability management, and security operations teams to ensure findings are accurate, actionable, and addressed in a risk-informed way.

This is a hands-on role suited for someone who already understands application security fundamentals and wants to deepen their impact without moving into a senior or architect-level position.

Vulnerability Analysis & Triage

• Analyze and validate findings from SAST, DAST, and SCA tools, including:
• SonarQube
• VeraCode (SourceClear)
• NetSparker (Invicti)
• Chariot (by Praetorian)
• Other common commercial and open-source scanning tools

• Distinguish true positives from false positives and provide clear, developer-friendly explanations of confirmed issues.
• Assess vulnerability severity and exploitability in real-world application contexts.

Bug Bounty & External Findings

• Triage and validate submissions from the bug bounty program.
• Reproduce reported issues and provide technical validation using tools such as BurpSuite.
• Collaborate with internal teams to track remediation and confirm fixes.

Developer Collaboration

• Work directly with application and platform engineers to:
  • Explain findings and root causes.
  • Provide remediation guidance and secure coding recommendations.
  • Help improve signal-to-noise ratio in security findings by refining workflows and feedback loops.

Process & Continuous Improvement

• Leveraging AI and automation to remove repeatable processes.
• Contribute to improving vulnerability triage processes and documentation.
• Identify recurring vulnerability patterns and recommend preventive controls.
• Support reporting and metrics related to application security risk.

Must-Haves (Required Skills):

• 3–6 years of experience in application security, product security, or vulnerability management.
• Strong hands-on experience reviewing and interpreting scan results from SAST, DAST, and SCA tools.
• Practical understanding of common application vulnerabilities, including:
  • OWASP Top 10.
  • Injection flaws, authentication issues, access control problems (incl. IDOR), insecure dependencies.
• Ability to read and reason about application code (e.g., Java, JavaScript, Python, Go, etc.) for the purpose of vulnerability analysis.
• Experience working with or triaging findings from a bug bounty or responsible disclosure program.
• Strong written and verbal communication skills, especially when translating security findings for developers.
• Familiarity with CI/CD security integrations.
• Experience with cloud-native or SaaS application environments.
• Understanding of API security testing and findings.
• Exposure to threat modeling or secure design reviews.
• Experience working in a DevSecOps or product security team.

Upwork is proudly committed to fostering a diverse and inclusive workforce. We never discriminate based on race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical condition), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics.