Staff Application Security Engineer

What You’ll Do

• Engineer, implement and monitor security measures for the protection of computer systems, networks, and information

• Prepare, maintain and document standard operating procedures and protocols

• Configure and troubleshoot security infrastructure systems

• Develop and maintain technical solutions and security tools to help mitigate security vulnerabilities and automate repeatable tasks

• Work closely with technical leads to collate, drive and deliver on a technical strategy and roadmap that encompasses product, cloud, and enterprise security

• Assist with security reviews, threat modeling, code reviews

• Assist with our vulnerability management efforts across functional teams (enterprise and application security) to ensure we meet our SLAs and help mitigate risks

• Be an advocate for security best practices and the point of contact throughout the company

• Any other tasks that may be assigned to help the company meet its goals

What You’ll Bring

• 8+ years of experience with auditing web applications.

• 3+ years using at least one high level programming language e.g. Node.js, Python, Go, Java, Ruby.

• Experience utilizing web application security scanning software and penetration testing tools e.g. Burp Suite, ZAP, Nessus, Qualys, Metasploit, CANVAS, Nuclei, Cobalt Strike.

• Experience and desire conducting Security training for developers and the security team.

• Experience performing threat modeling and secure design review in order to assess the security implications and requirements of new systems and technologies.

• Experience building or working with distributed multi-tier web server-client architectures.

• Experience with cloud environments AWS or Azure.

• Strong foundational understanding of network and application fundamentals and best practices; e.g. HTTP, DNS, VPN, SAML, OAuth, OpenID etc.

• Strong understanding of OWASP Top 10 vulnerabilities in web applications, including XSS, SSRF, IDOR, RCE, CSRF vulnerabilities.

• Working knowledge of the Microsoft Security Development Lifecycle (SDL), OWASP Software Assurance Maturity Model (SAMM), or Building Security in Maturity Model (BSIMM)

• Experience implementing security practices in automated CI/CD pipelines for application code, infrastructure, and/or serverless is a plus.

• Strong sense of ownership, urgency and drive.

• Strong ability to lead cross-team initiatives and communicate proposals and ideas concisely.

Preferred Qualifications:

• Certifications: OSCP, OSWA, OSWE, or Burp Suite Certified Practitioner (BSCP).
• Programming: Strong programming skills in NodeJS, Python, and/or Go.
• Cloud Fluency: Experience securing applications specifically within AWS environments (Lambda, ECS/EKS, DynamoDB security).
• Compliance: Familiarity with mapping technical application controls to compliance frameworks like SOC 2, HIPAA, or PCI-DSS.