Application Security Engineer

About The Position

Requirements

• 3-5 years of experience in application security, software engineering, or related field
• Strong understanding of common web and API vulnerabilities (OWASP Top 10) and secure coding practices
• Practical experience finding and fixing vulnerabilities via a mix of code review and testing (SAST, DAST, SCA, manual testing)
• Ability to read and review code in at least one modern language (Python, JavaScript/TypeScript, Go, or similar)
• Experience partnering with product engineering teams to ship mitigations and improve secure-by-default patterns
• Familiarity with cloud security fundamentals (Google Cloud Architecture or AWS Well-Architected frameworks) and CI/CD concepts
• Working knowledge of authentication and authorization concepts (sessions, OAuth/OIDC basics)
• Strong written and verbal communication skills, including the ability to explain risk and tradeoffs to non-security audiences
• Ability to balance security requirements with business needs and development velocity

Nice To Haves

• Security certifications (OSCP, CEH, CISSP, or similar)
• Experience with modern web application frameworks and APIs
• Experience with security monitoring and logging solutions (SIEM)
• Familiarity with DevSecOps practices and infrastructure as code
• Experience in a fast-paced startup environment
• Contributions to open source security projects
• Experience using AI tools in day-to-day engineering and security work (e.g., using assistants to accelerate investigation, write or review code, draft documentation, and summarize findings), with good judgment around data sensitivity and verification

Responsibilities

• Security Architecture & Design: Partner with engineering teams to design and implement secure systems, conduct threat modeling, and provide security guidance throughout the development lifecycle
• Vulnerability Management: Conduct security assessments, code reviews, and penetration testing to identify and remediate security vulnerabilities across our application stack
• Security Tooling: Implement and maintain security tools including SAST, DAST, IAST, SCA, and dependency scanning solutions in our CI/CD pipeline
• Incident Response: Respond to security incidents, conduct root cause analysis, and develop remediation strategies
• Security Standards: Develop and enforce security policies, standards, and best practices across the engineering organization
• Training & Awareness: Educate development teams on secure coding practices and emerging security threats
• Compliance: Support compliance efforts for SOC 2, GDPR, NIST CSF, and other relevant security frameworks
• Edge & WAF Security: Help manage and tune our WAF (e.g., Cloudflare/AWS WAF, etc), including writing and refining rules, reducing false positives, reviewing blocked traffic, and identify common attack patterns.

Benefits

• Competitive salary and equity package
• Comprehensive health, dental, and vision insurance
• Unlimited PTO
• Collaborative and inclusive team culture
• Opportunity to make a significant impact on product security