Adverse Events, Agile Programming Methodologies, Analysis Skills, Application Programming Interface (API), Applications Security, Architectural Analysis, Authentication, Automation, Best Practices, Business Support, Code Reviews, Communication Skills, Computer Security, Continuous Deployment/Delivery, Continuous Integration, Corporate Policies, Database Administration, Ecosystems, Engineering, Enterprise Protection, Git, GitHub, Industry Standards, Information Assets, Information/Data Security (InfoSec), Internet Security, Leadership, Onboarding, Penetration Testing, Process Modeling, Production Systems, Protective Services, Python Programming/Scripting Language, REST (Representational State Transfer), Release Management/Engineering, Requirements Management, Risk Analysis, Secure Coding, Security Analysis, Security Architecture, Security Attacks, Security Software, Software Design, Software Development, Software Development Lifecycle (SDLC), Software Engineering, Software Testing, Static Analysis, Technical Writing, Test Plan/Schedule, Test Tools, Testing, Threat Modeling, U.S. National Institute of Standards and Technology (NIST), Writing Skills
Your Opportunity
The Schwab Application Security team, operating under the leadership of the Chief Information Security Officer (CISO), is responsible for protecting Schwab's information assets in support of business objectives and in alignment with corporate policies. As a core function within Cybersecurity Services, the Application Security team leads the establishment and ongoing evolution of Schwab's Secure Software Development Program. This includes the creation and implementation of software security policies and best practices, providing security architecture guidance, conducting software security scanning and penetration testing, and educating developers and testers on secure coding practices.
The Software Security Engineer plays a key role in safeguarding software assets by strengthening the development process, enhancing security controls, and reducing defects and vulnerabilities in production environments.
Successful candidates will have prior engineering experience within a Software Security Assurance or Application Security team and a proven ability to partner effectively with development teams to balance security requirements with innovation. They will demonstrate strong analytical skills, including the ability to interpret large volumes of distributed data and translate it into clear, actionable insights. Candidates should also have experience working with a range of application security tools, including Software Composition Analysis (SCA), Static Application Security Testing (SAST), and secrets management solutions.
In addition, candidates will bring solid application engineering experience and a strong understanding of common application vulnerabilities, attack vectors, and remediation strategies. They should be familiar with secure software design principles and industry best practices for integrating security into the software development lifecycle. Experience with application security testing tools, such as Fortify, and their integration into agile development environments is expected.
Candidates should have familiarity with recognized industry frameworks and standards such as OWASP, CIS, and NIST. A minimum of two years of experience working with static analysis or threat modeling tools is expected, along with experience implementing and scaling enterprise application security tools, services, and controls. Finally, candidates must demonstrate a strong understanding of secure coding practices, code review processes, threat modeling, security requirements analysis, and architectural risk assessment.
What you have
Preferred Qualifications
Python Automation & API Integration
- Strong proficiency in designing Python‑based automation for large‑scale REST API integrations, including repository management, content discovery, workflow orchestration, and encoded file handling across enterprise source‑control platforms.
- Custom CodeQL Query Development
- Strong understanding of CodeQL query authoring concepts, including QL pack management, database creation, dependency resolution via --search-path, and techniques for minimizing false positives through boundary analysis and source/sink filtering.
- GitHub Advanced Security (GHAS) Platform Engineering
- Deep familiarity with GitHub Advanced Security capabilities, including Code Scanning, Secret Scanning, Dependency Review, custom query configuration, and scalable alert triage and remediation workflows across multiple repositories.
CI/CD Pipeline Architecture (GitHub Actions)
- Demonstrated expertise in architecting reusable and scalable CI/CD workflows using GitHub Actions, including callable workflows, matrix strategies, cross‑repository authentication models, and centralized pipeline governance.
SARIF Output Analysis & Interpretation
- Strong knowledge of the SARIF specification and its use in static analysis pipelines, including interpreting results, validating findings, identifying false positives, and enabling automated reporting across diverse codebases.
Enterprise Git Workflow & Release Management
- Experience designing and governing enterprise Git workflows, including structured branching strategies, release coordination, branch protection rules, cross‑organization pull requests, and versioning policy enforcement.
Application Security Vulnerability Engineering
- Solid understanding of common software weakness classes and the intentional design of vulnerable code patterns to validate static analysis coverage, detection accuracy, and severity classification.
Multi‑Repository Architecture & Configuration Delivery
- Proven ability to architect centralized configuration and workflow distribution models for large repository ecosystems, including reusable workflows, configuration validation, and scalable authentication mechanisms.
Enterprise Package Registry & Dependency Governance
- Strong knowledge of internal package ecosystems and dependency governance, including artifact repository configuration, registry enforcement and blocking strategies, and controlled use of vulnerable dependencies for security testing.
Technical Documentation & Architecture Decision Records
- Excellent written communication skills with experience producing high‑quality technical documentation, including Architecture Decision Records (ADRs), onboarding guides, and operational runbooks for cross‑functional engineering teams.
T
The Charles Schwab Corp
The Charles Schwab Corporation is a leading provider of financial services, with more than 300 offices. Through its operating subsidiaries, the company provides a full range of securities brokerage, banking, money management and financial advisory services to individual investors and independent investment advisors. Named "Highest in Investor Satisfaction with Self-Directed Services" by J.D. Power and Associates in 2009, its broker-dealer subsidiary, Charles Schwab & Co., Inc. (member
SIPC) affiliates offer a complete range of investment services and products including an extensive selection of mutual funds; financial planning and investment advice; retirement plan and equity compensation plan services; referrals to independent fee-based investment advisors; and custodial, operational and trading support for independent, fee-based investment advisors through Schwab Advisor Services.
The Charles Schwab Bank (member FDIC) provides banking and mortgage services and products. To meet the needs of our clients, we are actively recruiting people with the desire, drive and creativity to find solutions that help meet our clients' needs; who want the chance to learn, grow with the company and explore their career opportunities; who will strive for excellence in achieving our clients' and our company's goals; who have the highest ethical standards - individuals who take pride in making a difference in people's lives.