Security Engineer, Application Security

Trail of Bits

10h•Remote

About The Position

Trail of Bits seeks a Security Engineer, Application Security within our growing Software Assurance practice. You will conduct comprehensive security assessments of client software with a focus on low-level code analysis, examining system architecture, security boundaries, access controls, and platform security mechanisms. On any given day, you might analyze vulnerabilities in application code, automate the detection of security misconfigurations in cloud environments, assess privilege escalation capabilities, or review security boundaries in complex systems. Working alongside other security engineers, you'll contribute to client projects while building impactful tools. In short, your work will land at the intersection of Vulnerability Research and Application Security. In addition to working with leading technology companies in the private sector, you will have opportunities to collaborate with our Research & Engineering team to help secure funding from government agencies for advanced security research that bridges vulnerability research and application security, advancing the state of the art both within our team and industry at large.

Requirements

Application security assessment experience. Direct experience conducting low-level code security assessments of complex software, identifying and mitigating application and system-level vulnerabilities. You read the code, not just the scanner output.
Hands-on experience performing manual code reviews to find vulnerabilities that automated tools miss. You can explain why a bug is exploitable, not just that a tool flagged it.
Experience using static and dynamic analysis tools as part of a deeper review process, including knowledge of where these tools fall short and how to extend them.
Experience performing binary analysis and reverse engineering of compiled software. Comfortable with disassemblers, decompilers, and the surrounding tooling.
Demonstrated experience identifying memory corruption vulnerabilities and reasoning about modern mitigations. You understand the exploit primitives, not just the CWE category.
Deep experience reasoning about system internals, IPC, access control implementations, and platform security boundaries in complex software.
Experience performing architecture reviews and threat modeling of software systems and cloud environments, identifying weaknesses in data flows, authentication, and API design and proposing realistic remediation.
Experience designing and building custom security tools for automated vulnerability detection. You bridge vulnerability research and application security by shipping tools, not just consuming vendor outputs.
Hands-on experience programming in two or more of Rust, Golang, Kotlin, Swift, Objective-C, JavaScript, TypeScript, Python, Ruby, C, or C++, used for both security analysis and tool development.
Experience translating complex security findings into clear, actionable recommendations for engineering and security teams. Reports here get read by people who can push back.

Nice To Haves

Experience with Android, iOS, or macOS system internals
Experience contributing to open source security tools, libraries, or research
Experience publishing original vulnerability research, CVEs, or technical writeups
Experience speaking at security conferences (DEF CON, Black Hat, BSides, OffensiveCon, RECon, etc.)
Experience identifying security misconfigurations in cloud environments (AWS, GCP, Azure)
Experience collaborating on government-funded security research (DARPA, IARPA, ONR, etc.)

Responsibilities

Conduct comprehensive low-level code security assessments across applications, examining vulnerabilities in system services, access control implementation, inter-process communication, and platform security controls while developing mitigation strategies.
Design and implement custom security tools for automated vulnerability detection, focusing on both application-specific and general security testing needs to bridge the gap between vulnerability research and application security.
Perform detailed architecture reviews and threat modeling of complex software systems and cloud environments, identifying potential security weaknesses in areas such as data flows, authentication mechanisms, and API security while providing remediation guidance.
Work directly with industry-leading teams to review their application infrastructure and architecture, helping secure their environments through deep technical analysis and recommendations.
Contribute to the advancement of application security, developing new methodologies and tools while staying up to date with the latest security developments in both traditional and emerging technology ecosystems.

Benefits

Competitive salary complemented by performance-based bonuses.
Fully company-paid insurance packages, including health, dental, vision, disability, and life.
A solid 401(k) plan with a 5% match of your base salary.
20 days of paid vacation with flexibility for more, adhering to jurisdictional regulations.
4 months of parental leave to cherish the arrival of new family members.
$10,000 in relocation assistance to support your transition to NYC.
$1,000 Working-from-Home stipend to create a comfortable and productive home office.
Annual $750 Learning & Development stipend for continuous personal and professional growth.
Company-sponsored all-team celebrations, including travel and accommodation, to foster community and recognize achievements.
Philanthropic contribution matching up to $2,000 annually.