Security Engineer - Application Security

We're looking for a highly skilled and passionate Security Engineer with a dedicated focus on Application Security to join our team. You'll embed robust security practices throughout the entire software development lifecycle (SDLC), from design to deployment. This role is key to building secure, resilient applications while fostering a culture where security is a seamless part of innovation.

We're seeking candidates with at least five years of experience in software development and application security in a production environment. This isn't just about identifying issues; you'll be on the front lines, directly involved in fixing vulnerabilities and implementing secure code changes. Responsibilities will vary based on experience, with senior engineers leading strategic initiatives and automation, and others focusing on foundational practices. This is a collaborative role, balancing security with developer velocity and operational efficiency, ensuring security enables fast delivery of secure software.

Responsibilities

• Drive security best practices into the SDLC, including security architecture reviews, threat modeling, and secure coding guidance.
• Implement and manage automated application security tools (SAST, DAST, SCA) in CI/CD pipelines for credential scanning, static/dynamic analysis, and dependency scanning.
• Conduct regular application security testing, coordinate third-party assessments, and actively participate in fixing identified vulnerabilities.
• Configure and maintain Web Application Firewalls (WAF) to protect applications.
• Design and implement security controls for APIs, including authentication, authorization, and API gateway policies.
• Implement security controls for cloud-deployed applications, leveraging cloud-native security services for threat detection.
• Deploy and manage application-focused SIEM detections, centralize application log collection, and support security monitoring. Participate in incident response for application-specific threats.
• Develop and maintain application security policies, standards, and guidelines (e.g., OWASP Top 10, NIST, ISO 27001).
• Work closely with Full Stack Engineers to educate them on secure coding practices, provide training, and empower them to build secure applications.
• Collaborate with product engineering, DevOps, and SRE teams to implement secure, usable, and efficient security solutions.

Required Experience

• 5+ years in security engineering, with a strong focus on application security.
• Demonstrated software development background with proficiency in writing and fixing code, ideally in languages like JavaScript/TypeScript (Next.js/Node.js). You'll be expected to contribute directly to codebases to implement security fixes and features.
• Expertise in SSDLC principles including threat modeling, secure design patterns, and secure coding.
• Hands-on experience with commercial and open source application security scanning tools (e.g., GitHub Advanced Security, Pnpm audit, Nodejsscan, Burp Suite, Invicti, OWASP ZAP, Gitleaks) for SAST, DAST, SCA, and secret detection.
• Strong understanding and practical experience with Web Application Firewalls (WAFs).
• Proficiency in cloud security controls for applications (e.g., GCP, Cloud Armor, Security Command Center, IAM hardening, Cloud Logging).
• Solid understanding of API security best practices and experience securing RESTful, tRPC and GraphQL APIs.
• Proficiency in SIEM & log management for application security, including log aggregation, correlation, visualization and threat detection.
• Proficiency in scripting for automation and integrating security tools into CI/CD pipelines.
• Strong understanding of common application vulnerabilities (e.g., OWASP Top 10).
• Excellent communication and collaboration skills to effectively convey security concepts to developers and other stakeholders.

Preferred Experience

• Offensive security experience (e.g., bug bounty participation, CTFs) is a plus. Penetration testing experience is welcome but not mandatory.
• Security certifications such as CISSP, CSSLP, OSCP, or GIAC GWEB.
• Hands-on experience with containerization (Docker, Kubernetes) and securing containerized applications.
• Experience with compliance frameworks relevant to application security (SOC 2 Type 2, ISO 27001) and supporting related audits.
• Experience in financial services or other regulated industries with stringent application security requirements.