Lead Application Security Engineer

About The Position

Requirements

• 6+ years in application security with a strong track record of impact
• Expert-level knowledge of web application security vulnerabilities (OWASP Top 10, injection attacks, authentication flaws, authorization issues, cryptographic failures, etc.)
• Strong programming skills in 2+ languages such as Python, Java, JavaScript, C#
• Proven experience securing CI/CD pipelines and building security automation
• Hands-on expertise with security tools: SAST (SonarQube, Semgrep, Checkmarx), DAST (Burp Suite, OWASP ZAP), SCA (Snyk, Dependabot)
• Deep understanding of authentication/authorization mechanisms (OAuth 2.0, OpenID Connect, SAML, JWT, API keys, TLS)
• Production experience with cloud platforms (AWS, Azure, or GCP) and cloud-native security
• Container security knowledge including Docker and Kubernetes security best practices
• Excellent communication skills - able to explain security risks to engineers, product managers, and executives
• Leadership experience mentoring engineers or leading security initiatives

Nice To Haves

• Security certifications: OSCP, GWAPT, CSSLP, CEH, or CISSP
• Cloud certifications: AWS Certified Security Specialty, Azure Security Engineer, GCP Professional Cloud Security Engineer
• Experience with Infrastructure as Code security (Terraform, CloudFormation, Pulumi, Ansible)
• Background in DevOps, SRE, or Platform Engineering
• Knowledge of compliance frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR)
• Contributions to open-source security tools or projects
• Experience with API security, microservices, and service mesh architectures
• Penetration testing or red team experience
• Understanding of cryptography, PKI, and secure communication protocols

Responsibilities

• Own the application security vision and roadmap for the engineering organization
• Design secure architecture for new products, services, and critical features
• Conduct threat modeling sessions for high-risk systems and data flows
• Define security standards, policies, and best practices for development teams
• Serve as the security subject matter expert for engineering leadership
• Drive security initiatives from concept through implementation
• Lead post-incident security reviews and implement preventive measures
• Perform in-depth security code reviews of critical and high-risk code changes
• Identify, assess, and prioritize vulnerabilities across our application portfolio
• Partner with development teams to remediate security findings effectively
• Research and evaluate emerging threats, attack vectors, and security vulnerabilities
• Provide security consultation and architectural guidance to product teams
• Conduct security assessments of third-party integrations and dependencies
• Stay ahead of industry trends and evolving attack techniques
• Design and implement security automation throughout the CI/CD pipeline
• Integrate, configure, and manage security scanning tools (SAST, DAST, SCA, secrets detection)
• Build custom security tools and frameworks to scale security across teams
• Automate security testing, vulnerability management, and compliance checking
• Implement and manage secrets management solutions (Vault, cloud secret managers)
• Secure containerized applications and Kubernetes deployments
• Scan and enforce security policies for Infrastructure as Code (Terraform, CloudFormation)
• Create security dashboards, metrics, and executive reporting
• Continuously optimize security tooling for accuracy and developer experience
• Mentor developers on secure coding practices and security principles
• Build and lead a security champions program across engineering
• Create security training materials and conduct workshops
• Provide actionable security feedback that doesn't block velocity
• Collaborate with DevOps and Platform teams on security improvements
• Make security tooling intuitive and integrated into developer workflows

Benefits

• Medical
• Dental
• Vision
• PTO
• health and wellness programs
• employee discounts