Sr. Application Security Engineer

Responsibilities

• Lead security architecture reviews for new and existing applications, embedding secure-by-design principles from initial design through deployment and ongoing operation.
• Develop, enforce, and refine secure coding standards across engineering teams using automated security scans (SAST, DAST, SCA), AI-assisted code review (Claude Code), manual code audits, and secure development training.
• Own the design, implementation, and evolution of Application Security Posture Management (ASPM) capabilities, integrating signals from static analysis, dynamic testing, software composition analysis, and runtime telemetry to build risk-scoring models.
• Continuously improve threat modeling frameworks across application components, third-party integrations, cloud-native architectures, and AI/LLM-powered features using AI tools (Claude Security) for accelerated threat model generation.
• Develop custom security automation tools and scripts to improve detection and response capabilities, including AI-assisted vulnerability auto-fix workflows and integration of AI-powered security tooling into CI/CD pipelines.
• Own and operate the company's bug bounty program end-to-end: define program strategy, triage and validate submissions, assess severity, and engage with the security research community.
• Manage vulnerability triage and prioritization processes, ensuring assessments align with exploitability, business impact, and compliance requirements.
• Influence product roadmaps by identifying and advocating for security enhancements aligned with regulatory requirements, industry best practices, and AI-integrated application threats.
• Mentor security engineers and developers on secure coding, vulnerability remediation, and AI-augmented security workflows.
• Present security findings, risk assessments, and program metrics to senior leadership, clients, auditors, and regulators.

Requirements

• 7+ years of progressive experience in application security, software security engineering, or related domain within production SaaS environments.
• Extensive hands-on experience in secure software development, DevSecOps pipeline design, and security testing methodologies (SAST, DAST, SCA, penetration testing).
• Demonstrated experience securing large-scale cloud-native applications, APIs, and microservices architectures.
• Experience leading application security initiatives, defining program strategy, and mentoring engineering teams.
• Regular hands-on use of AI-powered security and development tools (Claude Code, Claude Security, or comparable) as part of daily workflows.
• Experience assessing AI-specific attack surfaces in LLM-integrated applications (prompt injection, context leakage, insecure tool use, model denial-of-service).
• Deep expertise in AWS security, Kubernetes security, and cloud-native application security best practices.
• Strong programming proficiency to review and assess security risks in one or more of: Java, C#, JavaScript/TypeScript, Python, Swift, or Kotlin.
• Expertise in secure authentication and authorization mechanisms (OAuth 2.0, OIDC, SAML, JWT, WebAuthn, Zero Trust).
• Hands-on proficiency with AI-augmented security workflows for vulnerability discovery, remediation, threat modeling, and security automation.
• Strong understanding of OWASP Top 10, OWASP Top 10 for LLM Applications, SANS 25, CVSS/EPSS scoring, and MITRE ATT&CK framework.
• Ability to identify, assess, and mitigate prompt injection vulnerabilities in LLM-integrated applications.
• Experience with secure context window management in AI-powered products.
• Hands-on experience with security automation and scripting (Python, Bash, or equivalent).
• Proficiency in penetration testing methodologies for web applications, APIs, and mobile platforms.
• Strong knowledge of encryption standards, cryptographic best practices, and secrets management.
• Bachelor's degree in Computer Science, Cybersecurity, Information Assurance, Software Engineering, or related field, or equivalent combination of education and experience.
• Ability to work independently in a remote setting with high performance and accountability.

Nice-to-Haves

• Preferred certifications: CSSLP, OSCP, GWEB, or GWAPT.
• Experience evaluating security posture of AI providers (API security reviews, data residency assessments, vendor risk questionnaires).
• Familiarity with AI model access controls and secrets hygiene in AI pipelines.
• Experience with SIEM, WAF, and security monitoring tools.
• Familiarity with cloud security controls in AWS (IAM, security groups, KMS, Lambda security, cloud monitoring).
• Strong project management abilities and experience collaborating across product, engineering, and compliance teams.