Senior Application Security Engineer

About The Position

Requirements

• 6+ years in security engineering, DevSecOps, or related roles, including experience at scale
• Excellent communication and teamwork abilities
• Strong experience integrating security into modern SDLC pipelines
• Hands-on with AppSec tooling (Snyk, OWASP ZAP, Burp Suite, SonarQube, Checkmarx, etc.)
• Solid understanding of web app security (OWASP Top 10, API security, auth flows, input validation)
• Familiarity with AWS/Kubernetes security
• Strong programming skills (Python, Go, or JavaScript) to build tools, write secure code, and contribute to developer libraries
• Proven track record in partnering with product and engineering teams to drive security adoption without slowing down velocity
• Strong AWS security skills (IAM, KMS, Security Hub, GuardDuty, WAF)
• Experience with Kubernetes security (RBAC, OPA/Gatekeeper, network policies)
• Hands-on with Terraform, Helm, and GitOps practices
• Familiarity with security tooling (Trivy, Falco, Snyk, Aqua)
• Knowledge of networking, encryption, and cloud-native security best practices

Responsibilities

• Define and enforce best practices for secure coding, dependency management, and design reviews across engineering teams
• Integrate and manage SAST, DAST, and SCA tools within CI/CD pipelines (e.g., GitHub Actions)
• Partner with developers on new features and systems to identify risks early in the lifecycle
• Implement best practices for secrets handling, API authentication/authorization, and data protection
• Build security guidelines, training, and reusable libraries/patterns so that teams can ship secure code faster
• Triage and prioritize findings from bug bounties, penetration tests, and automated scans, ensuring timely resolution
• Act as the bridge between application developers and platform engineers to align app security with infra and compliance requirements
• Implement monitoring, alerting, and remediation for security incidents across our platform
• Scan and remediate vulnerabilities in container images, OS packages, dependencies, and IaC templates
• Design and maintain least-privilege IAM roles, secrets management, and authentication flows
• Automate evidence gathering and control enforcement for SOC 2, ISO 27001, and others

Benefits

• Canary Days: Company-wide days off to ensure there is at least one extended weekend or day off each month.
• Self Improvement Club: Monthly meetings to share personal goals with a budget for purchases that help achieve these goals.
• Professional Development Chats: Budget to drive cross-functional professional development conversations across the organization.
• Travel Reimbursement: Stipend for team members to visit offices in New York, San Francisco, or Dallas.
• Personal Travel Reimbursement: Credit towards stays at hotels that Canary works with.