Application Security Engineer

About The Position

Requirements

• 4+ years of experience securing web and/or API-based applications in a production setting
• Hands-on experience with static analysis (SAST), dynamic analysis (DAST), interactive application security testing (IAST) or similar tools
• Experience performing manual code reviews in languages like Java, Python, Go, JavaScript/TypeScript, or others used at AtoB
• Understanding of common web / API vulnerabilities (OWASP Top 10, API abuses, SSRF, injection, XSS, deserialization, etc.)
• Familiarity with authentication & authorization mechanisms (OAuth2/OIDC, JWT, session management, RBAC, etc.)
• Experience integrating security into a CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.)
• Working knowledge of cloud platforms (AWS, GCP, Azure) and container/orchestration (Docker, Kubernetes)
• Strong problem-solving skills, ability to operate in ambiguity and drive security outcomes in fast-moving teams
• Excellent communication skills — you’ll partner and negotiate with engineers, product, and leadership

Responsibilities

• Design and implement security tooling, automation, and processes to support secure development, deployment, and operations
• Perform threat modeling, design reviews, and security assessments (API, web, mobile, microservices)
• Conduct secure code reviews, dynamic and static application security testing, and penetration testing
• Work closely with engineering teams to remediate identified security issues, embed secure practices in SDLC, and strike the balance between speed and safety
• Investigate and respond to application-level security incidents or suspicious behavior
• Help define and enforce security standards, policies, and best practices across the engineering organization
• Maintain and improve application security infrastructure: e.g. vulnerability scanners, SAST/DAST tools, secrets management, dependency scanning, WAF configuration, RASP, etc.
• Stay abreast of new threats, vulnerabilities, and relevant industry practices; share knowledge (e.g. internal training, security guilds, writing blog posts)