Staff Application Security Engineer

About The Position

Requirements

• 7-10+ years of experience in Product/Application Security, with a strong background in software engineering.
• Proficiency in C#/.NET (preferred) or Go/Java. You must be able to read code to find vulnerabilities and write code to fix them.
• Experience moving security "left" using tools like GitHub Advanced Security (GHAS), dependency scanners, and secret detectors.
• Proven ability to script (Python, Go, PowerShell) and automate security tasks. You prefer building a tool to solve a problem over fixing it manually.
• Interest in the intersection of AI and Security, specifically in securing AI workloads, leveraging AI capabilities to embed security throughout the SDLC, and using AI agents for defense.

Responsibilities

• Build the Secure Paved Road (Pipeline and Code)
• Deeply integrate GitHub Advanced Security into the CI/CD pipeline to act as automated checkpoints, providing fast feedback to engineers without manual intervention.
• Collaborate with Engineering to develop and maintain secure microservice templates and libraries with embedded security controls.
• Lead hardcoded secrets mitigation efforts by automating detection and building workflows to validate compromised credentials via API.
• Drive cross functional initiatives to establish and continuously improve secure software development lifecycle practices across the organization.
• Continuous Security Testing and Validation
• Lead onboarding and operation of continuous penetration testing capabilities across web applications and services.
• Participate in and help scale internal security assessments, penetration testing, and bug bounty programs.
• Evaluate, prototype, implement, and operate security tools including DAST, SAST, and SCA.
• Run proactive simulations based on emerging threats to validate defenses and identify gaps.
• Architecture and Threat Modeling
• Lead security design reviews and threat modeling for new and existing services.
• Develop and maintain secure architecture standards, frameworks, and reusable patterns across multiple layers of the stack.
• Continuously analyze evolving security threats, determine relevance, and implement centralized mitigations.
• Operational Support and Engineering Partnership
• Act as the AppSec technical expert for the Security Champions Program, guiding engineers on vulnerability remediation and secure coding practices.
• Implement just in time training mechanisms that help engineers remediate vulnerabilities as they are introduced.
• Own initial triage of vulnerability findings, identify patterns, and drive automation and guardrails to reduce recurring issues.
• Participate in security incident response and support post incident analysis and remediation efforts.
• Continuous Improvement and Expertise
• Maintain strong knowledge of current security threats, vulnerabilities, and operational best practices, applying that knowledge to continuously improve the organization’s security posture.

Benefits

• Flexible time off
• Learning and development opportunities
• Comprehensive onboarding program
• Leadership training
• Peer-nominated awards
• Company-paid medical, dental, and vision (with 100% employer paid options and 90% coverage for dependents)
• FSA and HSA
• 401k match
• Telehealth options including memberships to One Medical
• Parental leave and support
• Up to $20k in fertility services (i.e. IUI and IVF), surrogacy, and adoption reimbursement
• On demand maternity support through Maven Maternity
• Free breast milk shipping through Maven Milk
• Pet insurance
• Legal advisory services
• Financial planning tools