Senior Security Engineer

Mach7 TechnologiesBurlington, VT
Remote

About The Position

We're looking for a Senior Security Engineer to lead application security efforts across our product portfolio, spanning web applications, APIs, mobile, embedded software, and shipped product deliverables. You'll be embedded in the engineering organization, partnering with product and platform teams to bake security into every phase of the software development lifecycle, not bolt it on at the end. A critical part of this role is developing and maintaining a deep understanding of our product attack surface, how components interact, what's exposed, and where real risk lives. That understanding is what transforms security tooling output into prioritized, meaningful action across threat modeling, vulnerability management, and supply chain risk. This is a high-impact role for someone who is equally comfortable reading source code, threat modeling a new microservice, and coaching a developer through a secure code review.

Requirements

  • 5+ years of experience in security engineering, with a strong AppSec focus
  • Hands-on experience with threat modeling frameworks (STRIDE, PASTA, or similar)
  • Proficiency with common AppSec tooling: Semgrep, Snyk, Burp Suite, OWASP ZAP, or equivalents
  • Deep understanding of web application vulnerabilities (OWASP Top 10, API security, auth/authz flaws)
  • Ability to read and reason about code in at least two languages; prior development experience a plus
  • Experience with software supply chain security — SBOM generation and analysis (CycloneDX, SPDX), SCA tooling, and dependency risk management
  • Strong written and verbal communication skills — you can explain risk to both engineers and executives
  • Experienced security professional with a strong background in application security and secure software development.
  • Skilled at threat modeling, secure code reviews, and identifying real-world risks across complex systems.
  • Knowledgeable in web, API, mobile, and software supply chain security best practices.
  • Comfortable working with developers to embed security throughout the SDLC.
  • Proficient with security testing and vulnerability management tools, including SAST, DAST, and SCA solutions.
  • Strong communicator who can translate technical risks into actionable recommendations.
  • Collaborative, proactive, and driven to improve both product security and engineering security culture.
  • Passionate about continuous learning, emerging threats, and helping teams build secure products at scale.

Nice To Haves

  • Experience with cloud-native environments (AWS, GCP, or Azure) and container/Kubernetes security
  • Familiarity with software supply chain frameworks such as SLSA, NIST SSDF, or OpenSSF Scorecards
  • Contributions to open-source security tooling or security research
  • Relevant certifications: OSCP, CSSLP, GWEB, or similar

Responsibilities

  • Own and evolve the AppSec program across the entire SDLC — from design reviews to post-deployment monitoring — for web, API, mobile, and shipped product deliverables
  • Build and maintain a living model of the product attack surface — mapping trust boundaries, data flows, exposed interfaces, and high-value targets — and use it to drive prioritization across all security workstreams
  • Conduct threat modeling and architecture security reviews for new features, services, and product releases across all delivery channels
  • Perform manual and automated secure code reviews across multiple languages (e.g. Python, Go, TypeScript, C/C++)
  • Integrate and tune SAST, DAST, and SCA tooling within CI/CD pipelines (GitHub Actions, Jenkins, or equivalent)
  • Triage and drive remediation of vulnerabilities surfaced through scanning, bug bounty, and pen tests
  • Develop and maintain a library of security standards, patterns, and guardrails applicable across product types
  • Own the Software Bill of Materials (SBOM) program — define generation, storage, and consumption processes across all product lines
  • Establish and maintain policies for evaluating, onboarding, and continuously monitoring third-party dependencies and open-source components
  • Triage and prioritize CVEs and license risks surfaced through SCA tooling, driving timely remediation with engineering teams
  • Define processes for responding to upstream supply chain incidents (e.g. compromised packages, malicious dependencies)
  • Collaborate with procurement and legal to assess security risk of third-party vendors and integrations
  • Contribute to industry frameworks and internal standards around software supply chain security (SLSA, NIST SSDF, or equivalent)
  • Act as a trusted security advisor embedded within product engineering squads
  • Lead security training, lunch-and-learns, and developer education initiatives
  • Collaborate with the Platform team on secrets management, identity, and access controls
  • Work with the GRC function to translate compliance requirements (SOC 2, ISO 27001) into engineering controls
  • Participate in the security on-call rotation and lead security incident response investigations
  • Drive root cause analysis and communicate findings clearly to engineering leadership
  • Build and maintain metrics and dashboards to track the health of the AppSec program
  • Participate as a member of the Cybersecurity council, representing development in the organization. Report weekly on new threat intelligence as it relates to product security, and any actions that are being taken to remediate new findings.

Benefits

  • Customer First
  • Learn & Grow
  • Innovate for Impact
  • Minimize Complexity & Move
  • Build Good Sht
  • Everyone Sells
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service