Staff II - Application Security Engineer

About The Position

Requirements

• 12+ years of hands-on application security experience, with demonstrated technical depth and a track record of influence beyond your own work.
• Deep knowledge of application security vulnerabilities and mitigation techniques, and the judgment to prioritize them by real business and customer impact.
• Proven ability to lead threat modeling, secure design, and security architecture for complex distributed and cloud-native systems.
• Proficiency in Java or C++, with the ability to read, reason about, and review production code.
• Security breadth across multiple domains — application, system, cloud, and mobile.
• A demonstrated history of driving technical change and raising the security bar across teams, and of mentoring senior engineers.
• Excellent documentation and communication skills, including the ability to influence engineering and product leadership.
• Self-starter who is adaptable, works independently, and brings clarity to ambiguous problems.
• A pragmatic mindset; able to identify practical short term and long term strategic solutions.
• Bachelor’s degree in Computer Science or a related field preferred, or equivalent combination of education and relevant professional experience.

Nice To Haves

• Experience testing agentic AI systems, and the ability to leverage AI tooling across security testing, triage, and documentation workflows.
• Experience building automation solutions that improve the security process at scale.
• Prior experience as a pen tester for a multi-tenant SaaS provider.

Responsibilities

• Set technical direction for application security across the portfolio — defining standards, patterns, and guardrails adopted by engineering teams at scale.
• Lead threat modeling across distributed, cloud-native, and mobile architectures as a repeatable practice embedded in the development lifecycle, not a one-off exercise.
• Define security architecture reference designs that, when followed by engineering teams, remove the need to security-review that aspect on a per-feature basis.
• Identify architectural risk early and influence roadmap and design decisions before implementation begins.
• Perform manual code review and application security testing across Java and C++ codebases; codify findings into reusable guidance engineers can act on without follow-up.
• Scale code review coverage using AI-assisted analysis and custom CodeQL queries tuned to Omnissa's codebase and vulnerability patterns.
• Conduct variant analysis to ensure confirmed vulnerability classes are remediated consistently across the codebase, not in isolation.
• Triage and validate externally reported vulnerabilities — assess exploitability, severity, and business impact, and drive remediation to closure across team boundaries.
• Translate individual findings into systemic recommendations that address root-cause design or implementation gaps across products.
• Define and evolve the SDL — identify gaps, drive measurable improvements, and own the iteration cycle.
• Improve the feature security review program so security work shifts left into design and scales across teams, rather than landing as a release gate.
• Mature the product penetration testing program — define scope, methodology, and cadence; ensure findings drive systemic fixes, not one-off patches.
• Build and scale the security champions program; mentor engineers and create training that extends security capability beyond the security team.
• Establish metrics that make program effectiveness visible to engineering and product leadership.
• Build a deep understanding of the product architecture, development toolchain, and release process across multiple product areas.
• Begin influencing in-flight architectural and design decisions, and identify the highest-leverage gaps in the current security program.
• Own the security strategy for a significant area of the portfolio.
• Set direction that other engineers execute against, drive cross-team prioritization of security work, and shape backlog and roadmap decisions.
• Iterate improvements on the current SDL.
• Deliver measurable, org-level improvements in security posture — e.g., materially reduced mean time to remediation, broadened threat model coverage, or new automation adopted in production across teams.
• Be recognized as a go-to technical authority on application security and a multiplier of the team’s overall effectiveness.
• Report to the Director of Product Security and take technical direction from the Manager of Application Security, while operating with a high degree of autonomy.
• Work closely with a committed team of security engineers, product managers, and developers focused on innovation and getting things done.
• Build trust among team members and stakeholders, committing to customer success.
• Operate in a transparent, communicative environment that emphasizes work-life balance and having fun at work.
• Identify and drive improvements to security processes - both internal workflows and partner-facing interfaces - that reduce friction for development teams and increase the daily effectiveness of security engineers.

Benefits

• employee ownership
• health insurance
• 401k with matching contributions
• disability insurance
• paid-time off
• growth opportunities