Senior Application Developer Jobs in Colorado

INTRODUCTION

$130,000 - $165,000 + VIP Bonus

Our fast-paced and collaborative environment inspires us to create, think, and challenge each other in ways that make our solutions and our teams better. Whether you’re interested in engineering or development, marketing or sales, or something else – if this sounds like you, then we’d love to hear from you!

We are headquartered in Denver, Colorado, with offices in the US, Canada, and India.

The insurance industry runs on Vertafore. We equip agencies, MGAs, and carriers with the core digital systems, specialized AI, and data-driven foundation to eliminate distribution drag across the insurance lifecycle, spanning sales, servicing, and back-office operations.

Underpinned by unmatched speed and performance power, we are the trusted backbone that’s taking the insurance industry from friction to flow with Distribution Velocity – speed, performance, and trust - to drive growth at scale.

With over 95% of the top agencies and insurers and 50% of industry compliance transactions running through Vertafore, we lead at the intersection of innovation and trust, giving insurance professionals the confidence to transform and win in the AI era.

ROLE AND RESPONSIBILITIES

The Senior Application Security Engineer is responsible for advancing application, product, cloud, API, identity, and AI security across Vertafore’s software engineering organization. This role partners directly with product, engineering, architecture, DevOps, cloud, and security teams to identify risk early, define secure design patterns, and embed scalable security controls into the software development lifecycle.

This role will serve as a hands-on technical security partner for application teams, helping them understand and document application architecture from a security perspective, identify trust boundaries and attack paths, and implement practical mitigations. The Senior Application Security Engineer will support secure design reviews, threat modeling, secure coding practices, vulnerability management, CI/CD security controls, API security, identity and access management patterns, and emerging AI/agentic product security capabilities.

A key focus of this position is securing AI-enabled applications and AI agents integrated into Vertafore products. This includes understanding AI agent architecture, authentication and authorization patterns, memory handling, prompt tracing, tool/plugin access, guardrails, model and runtime behavior, AI runtime scanning, and secure use of code-assist tools within engineering workflows.

The ideal candidate is a strong application security practitioner who can translate complex technical risk into actionable engineering guidance, influence teams without direct authority, and help product teams ship securely without unnecessary friction.

Core Requirements and Responsibilities:

Essential job functions included but are not limited to the following:

• Partner with product and engineering teams to perform application security reviews, secure architecture reviews, and threat modeling for new and existing applications, services, APIs, integrations, and cloud-native workloads.

• Work with teams to understand application architecture, data flows, trust boundaries, authentication and authorization models, third-party integrations, deployment patterns, and security-relevant design decisions.

• Document application architecture from a security perspective, including key assets, identity flows, privilege boundaries, attack surfaces, sensitive data flows, control gaps, and recommended mitigations.

• Identify and prioritize application security risks across web applications, APIs, microservices, SaaS platforms, cloud services, CI/CD pipelines, infrastructure-as-code, and AI-enabled product capabilities.

• Provide hands-on guidance to engineering teams on secure coding, secure design, vulnerability remediation, secrets management, dependency risk, API security, input validation, authentication, authorization, session management, logging, and error handling.

• Support and improve secure SDLC practices, including security requirements, design review checkpoints, threat modeling, secure code review, automated scanning, developer education, exception management, and remediation tracking.

• Integrate and tune security tooling across CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, DAST, API security testing, secrets detection, and AI runtime security scanning where applicable.

• Help define and operationalize security controls for AI agents and AI-enabled product features, including guardrails, authentication, authorization, prompt tracing, model/tool interaction logging, memory controls, data leakage prevention, abuse-case testing, and runtime monitoring.

• Evaluate the secure use of AI code-assist tools and developer productivity tools, including risks related to data exposure, insecure code generation, hallucinated dependencies, licensing, secrets leakage, provenance, and secure review workflows.

• Collaborate with DevOps and platform teams to embed security controls into CI/CD workflows while minimizing developer friction and false positives.

• Review identity and access management patterns across applications and platforms, including IAM, PAM, JIT access, service accounts, least privilege, privileged workflows, role design, federation, SSO, API access, token handling, and lifecycle governance.

• Partner with cloud and infrastructure teams to review application-level cloud security controls across AWS, Azure, and related platforms.

• Support vulnerability management by validating findings, assessing exploitability and business impact, partnering on remediation plans, and escalating material risks when needed.

• Develop reusable security patterns, reference architectures, standards, guardrails, and implementation guidance for engineering teams.

• Mentor engineers and security team members on application security, cloud security, API security, AI security, threat modeling, and secure SDLC practices.

• Communicate risk clearly to technical and non-technical stakeholders, including engineering leaders, product leaders, compliance partners, and security leadership.

• Contribute to security policy, standards, compliance, and audit readiness efforts related to application security, product security, identity, cloud, AI, and SDLC controls.

• Participate in security incident response, security operations escalation, or on-call processes as required by the business.

KNOWLEDGE, SKILLS AND ABILITIES

• Strong knowledge of application security principles, secure design, secure coding, web application security, API security, cloud-native application security, and secure SDLC practices.

• Strong understanding of common application and API vulnerabilities, including OWASP Top 10, OWASP API Security Top 10, authentication bypass, authorization flaws, injection, insecure deserialization, SSRF, business logic flaws, secrets exposure, and supply chain risks.

• Experience performing security architecture reviews, threat modeling, design reviews, and risk assessments for modern software systems.

• Ability to understand complex application architectures and document them from a security perspective, including data flows, trust boundaries, identity flows, external integrations, and critical control points.

• Working knowledge of AI-enabled application and AI agent security concepts, including agent components, tool use, memory, prompt handling, prompt tracing, guardrails, authentication, authorization, runtime monitoring, abuse-case testing, and data protection.

• Familiarity with AI security frameworks, patterns, or risk areas such as prompt injection, indirect prompt injection, tool misuse, excessive agency, data leakage, insecure plugin/tool access, model output handling, and agentic workflow abuse.

• Experience evaluating or securing AI code-assist tools, including secure configuration, acceptable-use guardrails, source code exposure risks, generated-code review practices, and developer workflow controls.

• Experience integrating security testing and security gates into CI/CD pipelines, including SAST, SCA, IaC scanning, container scanning, secrets scanning, DAST, API testing, and AI runtime scanning.

• Strong understanding of identity and access management concepts, including IAM, PAM, JIT access, least privilege, RBAC/ABAC, federation, SSO, MFA, privileged workflows, service identities, API tokens, and access lifecycle management.

• Experience with cloud security concepts and services across AWS and/or Azure, particularly as they relate to application workloads, identity, networking, logging, encryption, and deployment pipelines.

• Familiarity with WAF, API gateway, rate limiting, bot protection, DLP, logging/monitoring, SIEM integrations, and application-layer detective and preventive controls.

• Ability to assess vulnerabilities based on exploitability, compensating controls, business impact, and remediation complexity rather than scanner severity alone.

• Ability to influence engineering teams and product stakeholders through practical, risk-based guidance.

• Strong written and verbal communication skills, including the ability to explain security risk, tradeoffs, and recommended actions to both technical and non-technical audiences.

• Ability to create repeatable standards, patterns, playbooks, and architecture guidance that scale across multiple teams and products.

• Strong collaboration skills with engineering, architecture, DevOps, cloud, compliance, IT, identity, and security operations teams.

• Ability to work independently, manage competing priorities, and operate effectively in a remote or hybrid environment.

BASIC QUALIFICATIONS

• Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Software Engineering, or related field OR equivalent experience.

• 7+ years of experience in application security, product security, security engineering, software engineering with security focus, cloud security, or security architecture.

• Hands-on experience with application security reviews, threat modeling, secure SDLC practices, vulnerability management, and engineering partnership.

• Experience securing cloud-hosted applications, APIs, microservices, CI/CD pipelines, and modern software delivery environments.

• Experience with at least several of the following security tools or control areas: SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning, API security testing, WAF, CNAPP/CSPM, CI/CD security controls, SIEM/logging, or runtime application security monitoring.

• Experience with identity and access management patterns, including IAM, PAM, JIT access, privileged access workflows, service account governance, SSO, MFA, RBAC/ABAC, and least privilege.

• Experience or demonstrated working knowledge of AI application security, AI agents, LLM-enabled product features, AI runtime controls, AI-assisted development workflows, or secure AI adoption is strongly preferred.

• Experience working directly with software engineering teams to document architecture, identify security risks, and drive remediation through practical engineering guidance.

• Security certifications are a plus, such as CSSLP, CISSP, GWAPT, GWEB, AWS Security Specialty, CCSP, or other relevant credentials.

• Familiarity with regulatory, compliance, or control frameworks such as SOC 2, ISO 27001, NIST CSF, NIST SSDF, OWASP ASVS, OWASP SAMM, or similar frameworks is preferred.

ADDITIONAL REQUIREMENTS AND DETAILS

• Travel required up to 10% of the time.

• Ability to work remote with a stable internet connection on an as needed basis.

• Located and working from an office location (when required).

• Occasional lifting and/or moving up to 10 pounds.

• Frequent repetitive hand and arm movements required to operate a computer.

• Specific vision abilities required by this job include close vision (working on a computer, etc.).

• Frequent sitting and/or standing.

WHY VERTAFORE IS THE PLACE FOR YOU: Canada Only

• The opportunity to work in a space where modern technology meets a stable and vital industry.

• Medical, vision & dental plans.

• Life, AD&D.

• Short Term and Long Term Disability.

• Pension Plan & Employer Match.

• Maternity, Paternity and Parental Leave.

• Employee and Family Assistance Program (EFAP).

• Education Assistance.

• Additional programs - Employee Referral and Internal Recognition.

WHY VERTAFORE IS THE PLACE FOR YOU: US Only

• The opportunity to work in a space where modern technology meets a stable and vital industry.

• We have a Flexible First work environment! Our North America team members use our offices for collaboration, community and team-building, with members asked to sometimes come into an office and/or travel depending on job responsibilities. Other times, our teams work from home or a similar environment.

• Medical, vision & dental plans

• PPO & high-deductible options.

• Health Savings Account & Flexible Spending Accounts Options:

• Health Care FSA.
• Dental & Vision FSA.
• Dependent Care FSA.

• Commuter FSA.

• Life, AD&D (Basic & Supplemental), and Disability.

• 401(k) Retirement Savings Plan & Employer Match.

• Supplemental Plans - Pet insurance, Hospital Indemnity, and Accident Insurance.

• Parental Leave & Adoption Assistance.

• Employee Assistance Program (EAP).

• Education & Legal Assistance.

• Additional programs - Tuition Reimbursement, Employee Referral, Internal Recognition, and Wellness.

• Commuter Benefits (Denver).

The selected candidate must be legally authorized to work in the United States.

The above statements are intended to describe the general nature and level of work being performed by people assigned to this job. They are not intended to be an exhaustive list of all the job responsibilities, duties, skill, or working conditions. In addition, this document does not create an employment contract, implied or otherwise, other than an "at will" relationship.

Vertafore strongly supports equal employment opportunity for all applicants regardless of race, color, religion, sex, gender identity, pregnancy, national origin, ancestry, citizenship, age, marital status, physical disability, mental disability, medical condition, sexual orientation, genetic information, or any other characteristic protected by state or federal law.

THE PROFESSIONAL SERVICES (PS) AND CUSTOMER SUCCESS (CX) bonus plans are a quarterly monetary bonus plan based upon individual and practice performance against specific business metrics. Eligibility is determined by several factors including: start date, good standing in the company, and actives status at time of payout.

THE VERTAFORE INCENTIVE PLAN (VIP) is an annual monetary bonus for eligible employees based on both individual and company performance. Eligibility is determined by several factors including: start date, good standing in the company, and actives status at time of payout.

Commission plans are tailored to each sales role but common components include quota, MBO's and ABPMs. Salespeople receive their formal compensation plan within 30 days of hire.

Vertafore is a drug free workplace and conducts preemployment drug and background screenings.

We do not accept resumes from agencies, headhunters or other suppliers who have not signed a formal agreement with us.

We want to make sure our recruiting process is accessible for everyone. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact recruiting@vertafore.com.

Just a note, this contact information is for accommodation requests only.

Vertafore is a Flexible First working environment which allows team members to work from home as often as you’d like, while using our offices as a place for collaboration, community, and teambuilding. There are times you may be asked to come into an office and/or travel for specific meetings for a specific business purpose and this varies by job responsibilities.