Application Security Engineer – ServiceNow platform (Remote)
Application Security Engineer ServiceNow platform (Remote) We are looking for an Application Security Engineer for a large, global B2B high-tech company. In this role, you will manage the entire lifecycle of security findings reported by customers and penetration testers. This is a hands-on role that requires a deep understanding of security issues. You will triage real vulnerability reports, configure the ServiceNow instance to reflect the customer's setup, communicate directly with enterprise customers, and dive into the platform-level code to validate and assess security concerns. This is a 7.5-month contract (Extension possible). 40 hours per week, remote role in the US. This is a W2 employee of Stage 4 Solutions. Health benefits and 401K are offered.
Responsibilities
- Triage security findings submitted via customer channels validate exploitability, assess scope, assess risk, and determine remediation path.
- Analyze platform-level vulnerabilities across web, API, and server-side attack surfaces (SSRF, IDOR, blind query injection, SQLi, XSS, GraphQL abuse, privilege escalation, etc).
- Write customer-facing security assessments technically enough to satisfy CISO, clear enough for an account team to deliver.
- Coordinate with engineering on defect filing, backport decisions, and patch validation.
- Reproduce and verify reported vulnerabilities in lab environments (PDI/cloud instances/Local).
- Review code (JavaScript/Java) to trace attack paths and validate fix completeness.
Requirements
- 3+ years in application security, pentesting, bug bounty, or product security engineering.
- Strong working knowledge of OWASP Top 10 and beyond: prototype pollution, server-side injection, SSRF, IDOR, GraphQL attack surface.
- Comfortably navigate a ServiceNow instance and reason about security in the Now Platform context.
- Understand key platform mechanisms: ACLs/roles, scoped apps, business rules, scripted REST APIs, and data access patterns (GlideRecord/Table API).
- Mirror a customer scenario in a lab tenant to reproduce and validate reported issues.
- Trace the relevant server-side/client-side code path and clearly communicate scope and impact (what is and isn t affected).
- Ability to read and trace code across JavaScript and Java codebases
- Experience writing technical security reports for both engineering and executive audiences.
- CVSS scoring fluency not just the number, but the reasoning
Preferred
- Advanced ServiceNow platform experience (e.g., custom app development or deep familiarity with the ACL model and scoping boundaries)
- Background in customer-facing security roles or managed security services
- Familiarity with bug bounty programs (HackerOne, Bugcrowd) from the triage side
- Security certifications (GWEB, GWAPT, OSCP, or equivalent)
Please submit your resume to our network at http://www.stage4solutions.com/careers/ (apply to the Application Security Engineer ServiceNow platform (Remote) role). Please feel free to forward this job post to others you think may be interested. Stage 4 Solutions is an equal-opportunity employer. We celebrate diversity and are committed to providing employees with an inclusive environment that is free of discrimination and harassment. All employment decisions are based on the job requirements and candidates qualifications, without regard to race, color, religion/belief, national origin, gender identity, age, disability, marital status, genetic information, or other applicable legally protected characteristics. Compensation: $100/hr - $104/hr. Apply To This Job