Application Security Engineer II

Credit Acceptance is proud to be an award-winning company recognized both locally and nationally across multiple workplace categories. Our world-class culture is shaped by dedicated team members who are driven to succeed as professionals individually and together as a team. Backed by a strong product, exceptional people, and a stable financial foundation, we’ve grown into a leading provider of used and new car financing across the country.Our Engineering and Analytics Team Members utilize the latest technology to develop, monitor, and maintain complex practices that help optimize our success. Our Team Members value being challenged, are encouraged to express their ideas, and have the flexibility to enjoy work life balance. We build intrinsic value by partnering with all functions of our business to support their success and make strategic business decisions. We focus on professional development and continuous improvement while enjoying a casual work environment and Great Place to Work culture!The Application Security Engineer is responsible for securing the software and applications that Credit Acceptance builds, buys, and operates. This role partners closely with engineering, product, architecture, and business teams to ensure that applications handling sensitive consumer, dealer, and loan data are designed, developed, and deployed in a secure manner, meeting both internal security standards and the regulatory expectations of a financial services environment. This position focuses on embedding security into the software development lifecycle by providing hands‑on technical guidance, performing threat modeling and application security reviews, defining secure design patterns and guardrails, and supporting engineering teams as they build and maintain modern web, mobile, API, and cloud‑based applications.Outcomes and Activities:This position will work from home; occasional planned travel to an assigned Southfield, Michigan office location may be required. However, this position is permitted to work at a Southfield, Michigan office location if requested by the team member.Partner with engineering and architecture teams to design and review application architectures (web, mobile, API, and microservices) for security, privacy, and regulatory compliance.Perform security reviews of applications and services at each stage of the SDLC, including design, code, building pipelines, dependencies, infrastructure‑as‑code, and third‑party components.Identify and mitigate risks such as:Injection, authentication/authorization, injection and session management flaws (OWASP Top 10, ASVS)Insecure handling of NPI, PII, and payment dataManagement of open‑source dependency vulnerabilities and software supply chain risksInsecure cloud configurations, secrets management, and exposed APIsSupport threat modeling and risk assessments for new and existing applications, assisting teams in implementing practical mitigations.Assess and help mitigate security risks introduced by AI‑assisted and agentic development tools (e.g., GitHub Copilot, Claude Code, LiteLLM), including review of AI‑generated code, exposure of source code or secrets to external models, and proper use of internal LLM gateways.Governance, Standards, and PolicyContribute to and operationalize application security standards, secure coding guidelines, and secure design patterns used across the company.Evaluate application security tooling (SAST, DAST, SCA, IAST, secrets scanning, ASPM) and vendors to ensure alignment with security, privacy, and compliance requirements.Support compliance with regulatory and industry frameworks (e.g., PCI DSS, GLBA, NIST SSDF, SOX) in collaboration with legal, compliance, audit, and risk partners.Contribute to standards and guardrails for secure use of AI‑assisted development tools and agentic coding workflows.Collaboration & AdvisoryAct as a trusted security advisor to Engineering, Product, and DevOps teams building, maintaining and operating applications at Credit Acceptance.Participate in design reviews, sprint planning, and architecture working sessions focused on secure development and deployment.Provide guidance on the secure use of frameworks, libraries, APIs, authentication systems, and cloud services that interact with company systems and data.Advise engineering teams on safe adoption of AI coding assistants and agentic development tools, including approved usage patterns, data handling expectations, and review of AI‑generated changes.Continuous ImprovementStay current on application security threats, vulnerabilities, and best practices, including emerging risks across web, mobile, API, and cloud‑native applications.Recommend improvements to tooling, processes, and controls to strengthen the company's application security posture and shift security left in the SDLC.Contribute to internal documentation, secure coding training, and security enablement for developers and engineering teams.Competencies: Customer Empathy: Customer Em