Senior Staff Application Security Engineer

Pura•Pleasant Grove, UT

6d•Hybrid

About The Position

As a Senior Staff Application Security Engineer, you will be the primary technical authority for our application security program. This is a high-impact leadership role reporting directly to the Director of Security. You will be responsible for securing the entire Pura ecosystem—from our mobile apps and cloud-native backend to our innovative IoT hardware and emerging AI-driven features. You aren't just finding bugs; you are designing the secure workflows that empower our engineering teams to move fast without breaking our "hard no" policy on security risks.Your role goes beyond simple bug detection; you will architect secure, efficient workflows. This empowers our engineering teams to accelerate development while upholding our commitment to best-in-class policies, recognizing that they are negotiable to align with business needs. Compromise is key to creating the best solutions that allow the business to move fast while still ensuring we have mitigating safety features. You will lead manual code audits, architect security for AI/LLM systems, and proactively hunt for threats that target our unique "Scent Design" platform. Open to remote/hybrid candidates You will help us inspire a belief in the power of fragrance to craft and elevate memorable moments for our Owners. This is your chance to make an impact in a high-growth company that’s redefining the way people experience scent.

Requirements

Experience: 8+ years in Application Security or Software Engineering with a heavy security focus. At least 3 years in a Staff or Lead capacity.
Technical Depth: Expert-level knowledge of web, mobile (iOS/Android), and API security. Deep familiarity with the OWASP Top 10 and SANS Top 25.
AI Security Expertise: Proven experience securing LLM-based applications and understanding AI-specific risks (OWASP for LLMs).
Cloud & IoT: Extensive experience with AWS/GCP security and securing IoT device-to-cloud communication.
Coding Skills: High proficiency in at least one modern language (Node.js, Python, Go) and the ability to perform manual code reviews in a polyglot environment.
Workflow Mastery: Strong experience with Infrastructure as Code (Terraform), container security (Docker/K8s), and CI/CD automation.
Communication: Ability to simplify complex security risks for executive leadership while providing actionable, code-level guidance to developers.

Responsibilities

Security Architecture & AI Integration: Lead the design and security review of AI-powered features, ensuring LLM safety (preventing prompt injection, data leakage, and RAG vulnerabilities).
Secure Workflow Design (DevSecOps): Design and implement "secure-by-default" guardrails and automated security pipelines (SAST, DAST, SCA) that integrate seamlessly into GitHub Actions and CI/CD.
Advanced Code Auditing: Conduct deep-dive manual source code reviews of complex features, focusing on business logic flaws and authorization issues that automated tools miss.
Threat Hunting & Research: Lead proactive application-level threat hunting exercises to identify anomalies and indicators of compromise (IOCs) within the Pura cloud and IoT ecosystem.
Vulnerability Management: Own the end-to-end lifecycle of security findings, from triage and reproduction to partnering with engineering for remediation
Act as a technical mentor and "Security Champion" lead for the engineering organization.
Perform architectural risk analysis and threat modeling for new product launches.
Develop custom security tooling and automation scripts to reduce manual toil.
Stay ahead of the curve on IoT security standards and emerging AI attack vectors.
Collaborate with the Director of Security to define the AppSec roadmap and track meaningful security metrics.
Serve as a technical lead during security incidents, conducting root-cause analysis and post-mortem improvements.