Staff Application Security Engineer

About The Position

Requirements

• 7+ years of experience in application security or a closely related discipline
• Demonstrated experience building or significantly maturing an application security program
• Deep hands-on experience with SAST and DAST tooling implementation and management
• Strong knowledge of secure SDLC practices and CI/CD pipeline security integration
• Experience with dependency scanning and software supply chain security
• Proficiency in threat modeling methodologies (STRIDE, PASTA, or equivalent)
• Experience managing or coordinating third-party penetration testing engagements
• Solid understanding of secrets management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, or equivalent)
• Strong written and verbal communication skills — able to document findings and present risk clearly to both technical and non-technical audiences

Responsibilities

• Own the full implementation of SAST tooling across all codebases and CI/CD pipelines
• Own the full implementation of DAST tooling across all customer-facing and internal applications
• Establish baseline findings, prioritize remediation, and work directly with engineering to resolve issues
• Maintain and tune tooling over time as the codebase and attack surface evolve
• Define and enforce a secure software development lifecycle across engineering teams
• Establish secure release processes including code signing and build integrity verification
• Develop and maintain security standards, guidelines, and secure coding practices
• Integrate security checkpoints throughout the development pipeline without creating unnecessary friction for engineering
• Lead threat modeling exercises for new infrastructure designs, features, and system changes
• Ensure all customer-facing and internal applications are fully documented and threat modeled
• Maintain a living inventory of the company's attack surface and ensure it reflects current architecture
• Implement and manage dependency scanning across all projects
• Enforce version pinning policies to reduce exposure from uncontrolled dependency updates
• Deploy and manage supply chain security tooling (e.g., Socket.dev or equivalent) to monitor for malicious or compromised dependencies
• Establish a process for ongoing dependency review and remediation
• Define and maintain a penetration testing program covering all surface areas — applications, APIs, internal tooling, and infrastructure
• Scope, schedule, and manage third-party penetration testing engagements
• Track findings through to remediation and validate fixes
• Design and implement a secrets management program across cloud infrastructure and engineering workflows
• Eliminate hardcoded credentials and secrets from codebases
• Establish policies and tooling for secrets rotation, access control, and audit logging
• Implement fuzz testing across applicable components, particularly APIs and input-handling logic
• Ensure coverage gaps in the attack surface are identified, documented, and addressed systematically

Benefits

• Health insurance, including dental and vision plans
• Health, Dependent Care and Commuter Flexible Spending Accounts
• Paid Parental Leave
• Life insurance; short- and long-term disability plans
• Company-funded 401(k) plan, no matching required
• Unlimited PTO
• 10 paid company-wide holidays
• Company-wide winter break for most roles
• Meals and snacks provided in office
• Paid company cell phone or stipend
• Bitwise “Buddy” Program (30-day new-hire success program)
• Annual anniversary gifts
• Company-wide events including annual holiday party
• Internal Women of Bitwise (WOB) group with fun events