Senior Application Security Engineer

About The Position

Requirements

• 8+ years of hands-on experience in application security, offensive security, or security engineering, with demonstrable depth in at least two of: offensive testing, security tooling/automation, and cloud/infra security
• Strong offensive skills - you can manually exploit real web and API vulnerabilities beyond what a scanner will find, and you can teach others to do the same
• Deep familiarity with building and operating security tooling in a modern engineering org: SAST/DAST/SCA pipelines, custom detection rules, secrets scanning, and CI/CD security gates. You've written tooling, not just configured it
• Production experience with AWS (IAM, VPC, networking, data services), containerized workloads (Docker, Kubernetes/EKS), and infrastructure-as-code (Terraform or similar)
• Comfort reading, reviewing, and contributing code in at least one language common to modern web stacks (Python, Go, Ruby, TypeScript, or similar)
• Clear, direct communication style. You can make a sharp technical argument to senior engineers, translate risk into business terms for leadership, and write a bug report an engineer actually wants to fix
• Strong partnership instincts - you get leverage by making other teams faster, not by blocking them

Nice To Haves

• Experience in fintech, proptech, healthcare, or another regulated industry where data sensitivity is high
• Background meaningfully contributing to a bug bounty program
• Experience with identity and access systems (OIDC, SAML, federation, fine-grained authorization)
• Detection engineering, DFIR, or red-team experience
• Open source contributions to security tooling, published research, or CVE credits
• Relevant certifications (OSCP, OSWE, GWAPT, GPEN, etc.) - valued but not required

Responsibilities

• Run offensive assessments against Qualia's applications and infrastructure: manual penetration testing, exploit development, authenticated web/API testing, and adversarial review of new designs before they ship
• Lead threat modeling and secure design review for the highest-risk initiatives across the company, and mentor engineers to do the same for their own work
• Own and evolve our AppSec tooling stack end-to-end - SAST, DAST, SCA, secret scanning, IaC scanning, and the CI/CD gates that tie them together. Build the custom rules, detections, and automation that generic tooling doesn't give us
• Harden our cloud posture: review AWS configurations, IAM policies, Kubernetes/EKS workloads, and networking boundaries; build automation and guardrails that prevent the same class of issue from recurring
• Reduce toil for the team - write the tools, scripts, and integrations that turn a day of triage into a few minutes
• Partner with Infrastructure and Platform on detection engineering, incident response support, and cross-cutting programs (secrets management, supply chain, runtime security)
• Set the technical bar for the AppSec team: raise the quality of reviews, establish patterns others can reuse, and mentor peers across seniority levels
• Represent AppSec in architectural reviews, vendor evaluations, and compliance efforts

Benefits

• comprehensive health plans
• a 401k program
• commuter benefits
• professional development
• parental leave
• a flexible time off policy