2nd July 2026
Application Security Engineer
Engineering
London
£650 per day Outside IR35
Application Security Engineer (Outside IR35 Contract)
Role: Application Security Engineer
Contract Type: Outside IR35
Location: Remote.
Duration: Initial 6 months
Day Rate: c.£650
Overview
We are seeking an experienced Application Security Engineer to join a high-performing technology and security team on an Outside IR35 contract basis. This role is focused on embedding security throughout the software development lifecycle, improving product security posture, and working closely with engineering teams to build secure-by-design applications and platforms.
The successful contractor will bring a strong blend of application security, cloud security, DevSecOps, and threat modelling expertise, helping to identify and remediate security risks across a complex technology estate.
Key Responsibilities
- Partner with engineering, architecture, and product teams to integrate security into the SDLC.
- Conduct application and product security assessments, threat modelling, and architecture reviews.
- Identify, assess, and prioritise security vulnerabilities across web, mobile, API, and cloud-based applications.
- Support secure coding practices and provide security guidance to development teams.
- Implement and optimise security tooling within CI/CD pipelines.
- Review SAST, DAST, SCA, container, and infrastructure security findings and drive remediation activities.
- Perform security design reviews for new products, features, and platform enhancements.
- Contribute to security standards, policies, patterns, and technical controls.
- Support penetration testing activities and coordinate remediation of findings.
- Work closely with development teams to improve security maturity and reduce risk.
- Provide pragmatic security advice balancing security requirements with business objectives.
Required Skills & Experience
- Extensive experience in Application Security, Product Security, or DevSecOps roles.
- Strong knowledge of secure software development principles and secure coding practices.
- Experience performing threat modelling using recognised frameworks (eg STRIDE).
- Hands-on experience with security testing tools including:
- SAST
- DAST
- SCA
- Container security scanning
- Secrets detection
- Strong understanding of API security, OWASP Top 10, and modern web application security threats.
- Experience securing cloud-native environments, particularly AWS, Azure, or GCP.
- Familiarity with CI/CD platforms such as Azure DevOps, GitHub Actions, GitLab, or Jenkins.
- Ability to review security vulnerabilities and recommend practical remediation strategies.
- Excellent stakeholder engagement and communication skills.
Desirable Experience
- Experience within regulated environments.
- Knowledge of Kubernetes and containerised architectures.
- Hands-on penetration testing experience.
- Experience implementing DevSecOps practices at scale.
- Industry certifications such as:
- CSSLP
- CISSP
- GWAPT
- GWEB
- OSCP
- CCSP
- Azure, AWS, or GCP security certifications
Deliverables
The successful contractor will:
- Improve application and product security posture across key platforms.
- Embed security controls and assurance activities within engineering workflows.
- Reduce vulnerability backlog and improve remediation effectiveness.
- Enhance threat modelling and security review processes.
- Contribute to a scalable and sustainable DevSecOps capability.
Engagement Details
This engagement is being offered on an Outside IR35 basis. Applicants should be able to demonstrate genuine consultancy-style delivery, working autonomously and delivering outcomes rather than operating as part of the client’s organisational structure.
Apply
If you are an experienced ApplicationSecurity Engineer with a strong background in application security, cloud security, and DevSecOps, and are seeking an Outside IR35 opportunity, we would love to hear from you.
Consultant - Abigail Moss
Telephone: 0207 392 7516
Email: abigail.moss@spencer-rose.com
Share This Position