Staff Application Security Engineer

Secure Development & Architecture Leadership

• Lead Threat Modeling and Design Reviews: Conduct advanced threat modeling and security architecture reviews for complex systems, new products, and platform initiatives.
• Define Security Strategy: Define and implement the technical roadmap for the Application Security program, focusing on scalable assurance and proactive security measures.
• Mentor and Enable: Act as a subject matter expert and trusted advisor to product and engineering teams, providing mentorship on security features, product defense, secure coding practices, application architecture, and vulnerability remediation strategies.
• Conduct Training & Awareness: Develop training materials for engineers to build a foundation of security best practices.

Vulnerability Management & Incident Response

• Code and Security Reviews: Perform and lead in-depth secure code reviews (both manual and tool-assisted) to identify complex security vulnerabilities and flaws, including logic and authorization vulnerabilities.
• Internal Penetration Testing: Lead internal penetration testing engagements for net new products and historical systems.
• Vulnerability Program Oversight: Design and enhance the end-to-end vulnerability management program for products and applications, ensuring timely identification, prioritization, and remediation of critical security issues.
• Security Incident Response: Serve as an expert on products and applications for the security incident response team, assisting in investigating and resolving security events and incidents.

What You’ll Bring

• 10+ years of direct experience in an Application Security role, with a demonstrated history of designing and implementing security improvements at scale.
• Deep proficiency in one or more major programming languages (Python and NextJS a big plus) and a solid background in software development principles.
• Extensive experience securing applications deployed in Cloud environments (GCP a big plus) and knowledge of containerization technologies (Kubernetes).
• Expert-level knowledge of web application security techniques and principles, APIs, IAM (including identity, authentication/authorization, RBAC, ABAC), applied cryptography.
• Deep understanding of the security of AI and ML models, agents, and associated systems.

Bonus Points If…

• Proven experience contributing to or leveraging open-source security tools, publishing security research, managing bug bounty programs, and active engagement in the security industry.
• Demonstrated ability to drive large, cross-functional technical projects that impact security posture across the entire organization.
• Experience defining and utilizing security metrics to measure and report on the effectiveness of the AppSec program to both technical and executive audiences.