Staff Application Security Engineer

What You'll be Doing

Lead Application Security Elements: Own the execution and technical oversight of application security components, ensuring robust security controls are integrated throughout the development process.

Automated Pipeline Guardrails: Design and write automated security guardrails directly inside the CI/CD pipeline using open-source and commercial tools to catch vulnerabilities early.

Vulnerability Data Orchestration: Write scripts and API tools to query, aggregate, and correlate data from vulnerability datasets, asset management systems, and scanners to drive automated Jira ticketing and data-driven risk decisions.

Secrets Management Leadership: Lead and manage the enterprise secrets management program, defining technical standards and implementing solutions to protect sensitive credentials across all environments, writing programmatic integrations to securely inject and rotate credentials.

Offensive Security Collaboration: Partner closely with the Offensive Security Engineer on complex projects to proactively identify, validate, and remediate deep-seated application vulnerabilities.

Incident Response & Forensic Support: Provide deep technical expertise and hands-on assistance during security events or investigations, helping engineering teams perform root-cause analysis in the codebase and mitigate impact.

Secure SDLC & Threat Modeling: Proactively engage with development teams early in the SDLC to conduct threat modeling exercises focused on logical application flaws and provide expert consultation on secure architecture.

Mentorship and Advocacy: Act as a security champion and trusted advisor, elevating security knowledge across the organization through training and the development of secure coding guidelines.

Required Skills & Experience

Education & Experience: Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience with 7+ years of professional experience.

Software Engineering Background: Strong background in software development in a Software-as-a-Service (SaaS) environment, with a proven ability to write clean, maintainable code and pass a live/whiteboard coding session.

Application Security Expertise: 5+ years of hands-on experience in application security, including secure code review, threat modeling, and managing AppSec tooling.

API & Data Integration: Proven experience writing code to query APIs, parse datasets (JSON/XML), and integrate disparate tools (e.g., connecting scanner datasets with asset inventory).

Secrets Management Proficiency: Proven experience implementing and managing enterprise-grade secrets management solutions at scale.

Technical Remediation: Expert-level knowledge of OWASP Top 10 and advanced vulnerability classes, with a demonstrated ability to architect and implement scalable remediation solutions.

Scripting & Automation: Proficiency in languages such as Python, Go, or Bash to automate security workflows, query APIs, and build custom security integrations.

Influence & Communication: Exceptional communication skills with the ability to influence technical and non-technical stakeholders across multiple global offices.

Mentorship: A proven history of mentoring senior-level engineers and a passion for elevating the skills of those around you.

Desirable Skills & Experience

Certifications: Professional certifications such as CSSLP, CASE, GWEB, or equivalent.

Cloud Operations: Expertise in AWS or GCP security operations, specifically relating to serverless and containerized application security.

DevSecOps: Experience in a Security Development Lifecycle (SDL) environment and a history of implementing DevSecOps principles.

Community Engagement: Published security research, conference presentations, or active contributions to the open-source security community.