Application Security Engineer II

Application Security Engineer

Credit Acceptance is proud to be an award-winning company recognized both locally and nationally across multiple workplace categories. Our world-class culture is shaped by dedicated team members who are driven to succeed as professionals individually and together as a team. Backed by a strong product, exceptional people, and a stable financial foundation, we've grown into a leading provider of used and new car financing across the country.

Our Engineering and Analytics Team Members utilize the latest technology to develop, monitor, and maintain complex practices that help optimize our success. Our Team Members value being challenged, are encouraged to express their ideas, and have the flexibility to enjoy work life balance. We build intrinsic value by partnering with all functions of our business to support their success and make strategic business decisions. We focus on professional development and continuous improvement while enjoying a casual work environment and Great Place to Work culture!

The Application Security Engineer is responsible for securing the software and applications that Credit Acceptance builds, buys, and operates. This role partners closely with engineering, product, architecture, and business teams to ensure that applications handling sensitive consumer, dealer, and loan data are designed, developed, and deployed in a secure manner, meeting both internal security standards and the regulatory expectations of a financial services environment. This position focuses on embedding security into the software development lifecycle by providing hands-on technical guidance, performing threat modeling and application security reviews, defining secure design patterns and guardrails, and supporting engineering teams as they build and maintain modern web, mobile, API, and cloud-based applications.

Outcomes and Activities:

• This position will work from home; occasional planned travel to an assigned Southfield, Michigan office location may be required. However, this position is permitted to work at a Southfield, Michigan office location if requested by the team member.
• Partner with engineering and architecture teams to design and review application architectures (web, mobile, API, and microservices) for security, privacy, and regulatory compliance.
• Perform security reviews of applications and services at each stage of the SDLC, including design, code, building pipelines, dependencies, infrastructure-as-code, and third-party components.
• Identify and mitigate risks such as:
  • Injection, authentication/authorization, injection and session management flaws (OWASP Top 10, ASVS)
  • Insecure handling of NPI, PII, and payment data
  • Management of open-source dependency vulnerabilities and software supply chain risks
  • Insecure cloud configurations, secrets management, and exposed APIs
• Support threat modeling and risk assessments for new and existing applications, assisting teams in implementing practical mitigations.
• Assess and help mitigate security risks introduced by AI-assisted and agentic development tools (e.g., GitHub Copilot, Claude Code, LiteLLM), including review of AI-generated code, exposure of source code or secrets to external models, and proper use of internal LLM gateways.

Governance, Standards, and Policy

• Contribute to and operationalize application security standards, secure coding guidelines, and secure design patterns used across the company.
• Evaluate application security tooling (SAST, DAST, SCA, IAST, secrets scanning, ASPM) and vendors to ensure alignment with security, privacy, and compliance requirements.
• Support compliance with regulatory and industry frameworks (e.g., PCI DSS, GLBA, NIST SSDF, SOX) in collaboration with legal, compliance, audit, and risk partners.
• Contribute to standards and guardrails for secure use of AI-assisted development tools and agentic coding workflows.

Collaboration & Advisory

• Act as a trusted security advisor to Engineering, Product, and DevOps teams building, maintaining and operating applications at Credit Acceptance.
• Participate in design reviews, sprint planning, and architecture working sessions focused on secure development and deployment.
• Provide guidance on the secure use of frameworks, libraries, APIs, authentication systems, and cloud services that interact with company systems and data.
• Advise engineering teams on safe adoption of AI coding assistants and agentic development tools, including approved usage patterns, data handling expectations, and review of AI-generated changes.

Continuous Improvement

• Stay current on application security threats, vulnerabilities, and best practices, including emerging risks across web, mobile, API, and cloud-native applications.
• Recommend improvements to tooling, processes, and controls to strengthen the company's application security posture and shift security left in the SDLC.
• Contribute to internal documentation, secure coding training, and security enablement for developers and engineering teams.

Competencies:

• Customer Empathy: Customer Empathy is the ability to understand the perspectives, pain points, and experiences of customers. It involves actively putting oneself in the customer's shoes, comprehending their needs and challenges, and using that understanding to provide a better, more customer-centric experience.
• Engineering Excellence: Engineering Excellence is about bringing great craftsmanship and thought leadership to deliver an outstanding product that delights customers and solves for the business. This involves the pursuit and achievement of high standards, best practices, innovation, and superior solutions.
• One Team: A One Team mindset refers to a collaborative approach across the organization, where individuals work together seamlessly, without boundaries, as a single, cohesive team. Shared goals, open communication and mutual support create a sense of collective purpose. This enables teams to navigate challenges and pursue shared objectives more effectively.
• Owner's Mindset: Owner's Mindset involves adopting a set of behaviors that reflect a sense of responsibility, accountability, strategic thinking, and a proactive approach to managing your domain. As an owner, you understand the business and your domain(s) deeply and solve for the right outcome for the domain(s) and the business.

Required:

• Bachelor's Degree or equivalent experience
• 3+ years of experience in application security, product security, or secure software development.
• 2+ years of hands-on experience performing application security reviews, penetration testing, threat modeling, or secure code review.

Preferred:

• Experience securing modern web, mobile, and API-based applications in a regulated industry (e.g., financial services, healthcare).
• Familiarity with the OWASP Top 10, OWASP ASVS, and OWASP SAMM, and with software supply chain frameworks such as SLSA.
• Experience with cloud platforms (e.g., AWS, Azure, GCP) and containerized environments.
• Knowledge of regulatory and compliance considerations relevant to financial services (e.g., PCI DSS, GLBA, SOX).
• Experience embedding security into software development workflows (DevSecOps) and CI/CD pipelines.
• Hands-on experience with application security tooling such as SAST, DAST, SCA, IAST, secrets scanning, or ASPM platforms.
• Relevant certifications (e.g., GWAPT, GWEB, OSWE, CSSLP, CISSP) a plus.
• Familiarity with security considerations for AI-assisted development environments (e.g., GitHub Copilot, Claude Code) and LLM gateway/proxy tooling (e.g., LiteLLM).

Knowledge and Skills:

• Strong understanding of modern software development practices, frameworks, and architectures (web, mobile, API, microservices, serverless).
• Working knowledge of common application vulnerabilities and exploitation techniques, and the controls that mitigate them.
• Understanding of authentication, authorization, identity, cryptography, and secure data handling patterns.
• Familiarity with threat modeling, security testing, and risk assessment techniques.
• Ability to read and reason about code in one or more common programming languages.
• Working knowledge of AI-assisted and agentic software development tools (e.g., GitHub Copilot, Claude Code, LiteLLM) and the security risks they introduce in the SDLC.
• Ability to communicate security risks and recommendations clearly to both technical and non-technical audiences.

Target Compensation: A competitive base salary range from $85,695 – $125,685. This position is eligible for an annual variable cash bonus, between 7.5 - 15%. Bonus amounts are based on individual performance. Final compensation within the range is influenced by many factors including role-specific skills