Senior Application Security Engineer

Key Responsibilities:

• Application Security Strategy & Execution: Contribute to the strategic AppSec roadmap and lead the implementation of the Secure Software Development Lifecycle (SSDLC) and security standards for all software products.
• Security Architecture & Design: Lead deep-dive architectural reviews and hands-on threat modeling sessions for high-stakes product features. Define and implement secure development patterns (Authentication, Authorization, Encryption) for engineering teams to adopt.
• Vulnerability Management & Triage: Lead the response to critical software vulnerabilities, contribute to managing the Bug Bounty program, and drive automated workflows for prioritizing remediation based on exploitability and business risk.
• Secure Frameworks & Tooling: Design and implement internal security libraries and "paved roads" that allow developers to build securely by default. Oversee the selection, implementation, and tuning of AppSec tooling (SAST, DAST, SCA) to ensure high signal-to-noise ratios.
• Cross-Functional Technical Leadership: Serve as a core security subject matter expert for the Engineering organization. Lead technical initiatives to remediate security debt and mentor junior security engineers on advanced application defense.
• Modern Web & API Security: Apply expert-level knowledge of REST/GraphQL APIs, OAuth2/OIDC, and modern web frameworks to harden the application layer against sophisticated attacks.
• Incident Response (App Layer): Serve as a key technical responder for application-level security incidents, conducting forensic analysis of code execution and logic flaws to prevent recurrence.
• Evangelism & Training: Lead technical developer workshops and contribute to the "Security Champions" program to elevate security awareness and secure-coding practices across the engineering organization.

Required Qualifications:

• 6+ years of experience in software engineering or application security, with significant tenure as a subject matter expert.
• Software Engineering Foundation: Strong background as a professional software developer, with the ability to read, write, and debug code in multiple languages (e.g., Python, Go, Java, or JavaScript/TypeScript).
• Expert Threat Modeling: Proven ability to threat model complex, distributed systems and identify logic flaws that automated tools miss.
• Deep Vulnerability Expertise: Demonstrated mastery of identifying and mitigating the OWASP Top 10, business logic vulnerabilities, and advanced exploitation vectors.
• Tooling Mastery: Extensive experience implementing and customizing AppSec tools (e.g., Snyk, Checkmarx, Burp Suite, Semgrep) within enterprise-scale CI/CD environments (GitHub Actions, GitLab, etc.).
• Identity & Access Expert: Deep technical understanding of identity protocols (SAML, OAuth2, OIDC) and modern authorization models (RBAC, ABAC).
• Technical Project Leadership: Proven ability to lead complex technical projects and drive large-scale, cross-functional AppSec initiatives to completion.

Preferred Qualifications:

• Certifications: OSCP, OSWA, OSWE, or Burp Suite Certified Practitioner (BSCP).
• Programming: Strong programming skills in NodeJS, Python, and/or Go.
• Cloud Fluency: Experience securing applications specifically within AWS environments (Lambda, ECS/EKS, DynamoDB security).
• Compliance: Familiarity with mapping technical application controls to compliance frameworks like SOC 2, HIPAA, or PCI-DSS.