Charles Schwab
Application Security Engineer
At a Glance
About This Role
Responsibilities
- Strengthen the development process and enhance security controls
- Reduce defects and vulnerabilities in production environments
- Conduct software security scanning and penetration testing
- Provide security architecture guidance
- Educate developers and testers on secure coding practices
- Partner with development teams to balance security requirements with innovation
- Interpret large volumes of distributed data and translate into actionable insights
- Implement and scale enterprise application security tools, services, and controls
Requirements
- Prior engineering experience within a Software Security Assurance or Application Security team
- Strong analytical skills
- Experience with Software Composition Analysis (SCA)
- Experience with Static Application Security Testing (SAST)
- Experience with secrets management solutions
- Solid application engineering experience
- Understanding of common application vulnerabilities and attack vectors
- Understanding of remediation strategies
- Familiarity with secure software design principles
- Experience with Fortify
- Experience integrating security tools into agile development environments
- Familiarity with OWASP, CIS, and NIST frameworks
- Minimum two years of experience with static analysis or threat modeling tools
- Strong understanding of secure coding practices
- Code review process knowledge
- Threat modeling expertise
- Security requirements analysis skills
- Architectural risk assessment capability
- Strong proficiency in Python-based automation
- REST API integration experience
- Custom CodeQL Query Development
- GitHub Advanced Security (GHAS) experience
- GitHub Actions expertise
- SARIF specification knowledge
- Enterprise Git workflow experience
- Application security vulnerability engineering knowledge
- Multi-repository architecture experience
- Enterprise package registry knowledge
- Technical documentation and Architecture Decision Records (ADRs) writing skills
Benefits & Perks
About Charles Schwab
Charles Schwab Corporation is a leading financial services firm that has transformed the investment landscape by making financial markets more accessible. Founded in 1971 in San Francisco, the company has grown to become the largest publicly traded investment services firm in the U.S., managing approximately $7.8 trillion in client assets across 32.5 million accounts. Schwab offers a wide range of services, including discount brokerage, online trading, and custodial services for independent investment advisors. The firm is known for its low commission rates and has eliminated commissions on online stock, ETF, and options trades. It also provides a comprehensive mutual funds marketplace and full-service banking options. Schwab primarily serves individual retail investors and financial professionals, focusing on removing barriers to investing and advocating for everyday people seeking to grow their wealth.
Security at Charles Schwab
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Charles Schwab's AppSec mission is to "safeguard information and cultivate client trust, empowering people to feel secure in every interaction."They operate within Schwab's Secure Application Development Standard and leverage AppSec services to "shift left"and continuously improve security posture. Their risk philosophy involves applying OWASP Top 10 knowledge to identify common vulnerability categories and advising teams on secure patterns. A stated goal is to contribute to the continuous improvement of application security processes and tooling. Information regarding gaps and contradictions in their philosophy is not publicly available.”
Security Team
The AppSec team is part of Schwab Cybersecurity Services (SCS), which is responsible for securing access, protecting data, and safeguarding applications, endpoints, and the cloud. Bashar Abouseido is a key public-facing leader, serving as Senior Vice President, Chief Information Security Officer. He has been quoted stating that "Google is transforming security operations and enabling our vision to stay proactive in responding to cyber threats."A precise team size estimate is not publicly available. As of, there is one active AppSec job posting (Application Security Analyst) on schwabjobs.com. Common skill/tool patterns from job postings include exposure to OWASP Top 10 concepts, hands-on familiarity with DAST workflows and tools, API Security fundamentals, programming fundamentals in Java and .NET, and familiarity with AppSec tooling including common DAST capabilities and BURP Suite. Information regarding other gaps and contradictions is not publicly available.
Key Initiatives
There is no evidence found for a Security Champions Program. The team supports "shift-left"practices by integrating AppSec tooling into build pipelines and promoting developer experience best practices. Their vulnerability management process involves performing and supporting DAST for web and API-based services (intake), and partnering with developers to reproduce findings, review fixes, and validate remediation (triage/remediation). They operate within Schwab's Secure Application Development Standard as part of their Secure SDLC Artifacts. A recent initiative (within the last 6 months) highlights that Google's automated response capabilities have "dramatically reduced"the financial services company's investigation resolution time. Information regarding other gaps and contradictions is not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.
Interested in this role?
Apply on LinkedIn