Application Security Engineer II

About The Opportunity
We're all about connecting hungry diners with our network of over 300,000 restaurants nationwide. Innovative technology, user-friendly platforms and streamlined delivery capabilities set us apart and make us an industry leader in the world of online food ordering. When you join our team, you become part of a community that works together to innovate, solve problems, grow, work hard and have a ton of fun in the process!
Why Work For Us
Grubhub is a place where authentically fun culture meets innovation and teamwork. We believe in empowering people and opening doors for new opportunities. If you're looking for a place that values strong relationships, embraces diverse ideas-all while having fun together-Grubhub is the place for you!
Grubhub Security is charged to deliver tailored solutions which provides a safe and trustworthy experience for our users and more than 31.5 million customers. We are committed to maintaining the highest standards of security and compliance in all aspects of our operations. We pride ourselves on innovation, integrity, and a dedication to safeguarding our digital assets.
More About The Role:
Grubhub's Product Security team is seeking a talented Application Security Engineer to join our team. This role focuses on designing, integrating, and managing application security capabilities, analyzing findings, and ensuring security throughout the development lifecycle. Additionally, you will contribute to proactive security practices, such as threat modeling and secure architecture reviews. As an Application Security Engineer, you will leverage your engineering expertise to develop scalable, reusable solutions for integrating security capabilities, such as Static Code Analysis (SAST) and Software Composition Analysis (SCA) into CI/CD pipelines and developer workflows. These capabilities will seamlessly align with a centralized solution designed to manage scanning policies and process scanner outputs to feed it into our Vulnerability Management framework. The reusable tools and solutions you build will empower service and platform teams to independently integrate these capabilities into their pipelines, ensuring consistent security standards and actionable insights. Your work will play a critical role in elevating the security posture of Grubhub's services.
The Impact You Will Make:

• You'll ensure that Grubhub's key business initiatives are delivered securely
• You'll enable Grubhub to reduce its security risk and improve in security maturity
• You'll build highly scalable & reliable process to ensure and improve the efficiency, accuracy of the application security controls
• You'll deliver, deploy, maintain, and monitor the performance of application security controls, directly contributing to service readiness and resilience against evolving cyber threats.
• You'll evaluate tools, technologies, frameworks, and vendors to improve Grubhub's product security posture in collaboration with senior Cybersecurity team members and partners from other teams.
• You'll enable self-service capabilities for service and platform teams, providing scalable, reusable tools that allow them to integrate security into their workflows.
• Promote a collaborative work culture and actively engage with domain experts across teams.

Key Responsibilities:

• Develop and integrate application security capabilities (e.g., SAST, SCA) into CI/CD pipelines and developer environments.
• Build reusable tools and containerized/CLI-based implementations for service and platform teams.
• Help to design centralized solutions for managing scanning policies and processing tool outputs to ensure consistency and scalability.
• Analyze security findings, prioritize vulnerabilities, and provide actionable recommendations to development teams.
• Integrate analyzed code vulnerability into Grubhub's vulnerability management service.
• Partner with developers to enhance secure coding practices and streamline vulnerability remediation.
• Conduct threat modeling sessions and architecture design reviews to proactively identify and mitigate risks.
• Assess and refine application security tools and processes to ensure alignment with evolving engineering workflows and security needs.

What You Bring To The Table:

• Bachelor's degree in Computer Science, Information Technology, or related field (or equivalent experience).
• 3+ years experience in application security, software development, or related fields.
• Intermediate-level experience with Java, Go, or Python with demonstrable experience in conducting code reviews to identify security deficiencies at the code-level including flaws in business logic.
• Ability to design and develop modular, reusable code libraries or classes optimized for containerized environments.
• Demonstrated experience in integrating containerized components into CI/CD pipelines, automating build, test, and deployment processes to ensure scalability and reliability.
• Strong understanding of common vulnerabilities and security principles, including the OWASP Top 10, CWE, and relevant secure coding standards.
• Familiarity with centralized solutions for managing scanning policies and aggregating outputs.
• Practical experience with running and managing tools like SAST, SCA, or DAST
• Ability to create and write scripts to automate redundant activities.

• Excellent communication skills and ability to work collaboratively in a team environment.
• Strong analytical and problem-solving abilities, with a keen attention to detail.
• Proven ability to work effectively in a fast-paced, dynamic environment and manage multiple priorities simultaneously.

Preferred Qualifications:

• Experience with threat modeling tools and methodologies such as STRIDE, DREAD, PASTA or Kill Chain.
• Certifications such as CompTIA Security+, CCSP, CSSLP, CASE or equivalent.
• Familiarity with DevOps practices and CI/CD pipelines.
• Knowledge of regulatory compliance frameworks such as PCI DSS, GDPR, HIPAA, etc.
• Willingness to participate in incidents as needed as a security SME
• Written and verbal communications which are organized, audience-appropriate and data-driven.
• Able to work like an enterprise software engineer. We'd love to hear about solutions and capabilities you've built yourself to enable the teams and organizations you've worked with to identify security defects and bugs at scale.

And Of Course, Perks!

• Flexible PTO. Grubhub employees enjoy a generous amount of time to recharge.
• Health and Wellness. Excellent medical, dental and vision benefits, 401k matching, employee network groups and paid parental leave are just a few of our programs to support your overall well-being.
• Compensation. You'll receive a highly-competitive compensation package with eligibility for generous incentives, bonuses, commission, and RSUs.
• Free Meals. Our employees get a weekly Grubhub credit to enjoy and support local restaurants.
• Social Impact. We believe in giving back through programs like the Grubhub Community Relief Fund, and provide our employees opportunities to support causes that are important to them.

Grubhub is an equal opportunity employer. We welcome diversity and encourage a workplace that is just as diverse as the customers we serve. We evaluate qualified applicants without regard to race, color, religion, age, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics. If you're applying for a job in the U.S. and need a reasonable accommodation for any part of the employment process, please send an email to [email protected] and let us know the nature of your request and contact information. Please note that only those inquiries concerning a request for reasonable accommodation will be responded to from this email address.
If you are a resident of the State of California and would like a copy of our CA privacy notice, please email [email protected].