Product & Application Security Engineer

About The Position

Requirements

• Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
• Minimum 3 years of specific, hands-on experience in Application and Product Security.
• Deep understanding of web application and API security principles, including authentication, authorization (OAuth, OpenID Connect, JWT), session management, and access control models.
• Proficiency in IaC (Terraform, CloudFormation) and CI/CD pipeline security (e.g., GitHub Actions, CircleCI integrations).
• Proven experience conducting design and code reviews for web applications and APIs.
• Demonstrable experience deploying, configuring, and maintaining SAST and DAST tools within CI/CD pipelines (e.g., Jenkins, GitLab CI, Azure DevOps, CircleCI).
• Strong understanding of common web application vulnerabilities (OWASP Top 10) and their exploitation/mitigation.
• Experience with scripting languages (e.g., Python, Bash) for automation.
• Demonstrated ability to translate technical security risks into clear, concise business terms for diverse audiences, including legal, privacy, and product stakeholders.
• Experience collaborating directly with product teams to integrate security into product roadmaps and balance security with user experience.
• Excellent communication, interpersonal, and presentation skills.

Nice To Haves

• Relevant security certifications (e.g., CSSLP, GCSA, CISSP).
• Experience with privacy frameworks and regulations (e.g., GDPR, CCPA).
• Familiarity with cloud security architecture (AWS, Azure, GCP).
• Experience with security champion programs.

Responsibilities

• Provide deep expertise and guidance on secure authentication mechanisms, session management, and complex access control models relevant to a multi-tenant SaaS platform.
• Partner closely with product managers and engineering teams to embed security requirements early in the product development lifecycle, balancing user experience (UX) with robust security.
• Address security challenges unique to a SaaS environment, including multi-tenancy isolation, secure API design principles, prevention of horizontal privilege escalation, and secure data handling.
• Conduct hands-on security testing of APIs using various tools (e.g., Burp Suite, Postman, custom scripts) to identify vulnerabilities and ensure secure communication and data exchange.
• Collaborate with engineering and product teams to integrate security requirements and best practices throughout the entire SDLC, from design to deployment.
• Conduct thorough security reviews of application architecture, design documents, and source code to identify and mitigate potential vulnerabilities.
• Design, implement, and maintain the integration of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools into our CI/CD pipelines, and runtime protection (RASP) for web apps.
• Develop, automate, and enhance our vulnerability management processes, including triage, prioritization, and tracking of security findings across applications.
• Provide guidance, training, and tools to developers on secure coding principles, common vulnerabilities, and secure design patterns.
• Provide expert security consultation and guidance to development teams on secure coding practices, architectural patterns, and vulnerability remediation.
• Stay current with the latest security threats, industry best practices, and emerging technologies, advocating for their adoption to enhance our platform's security posture.

Benefits

• Comprehensive health, life, and disability insurance.
• Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off.
• 401k plans with up to 6% company match.
• $2000 Paid-Paid Vacation bonus.
• EAP through Headspace.