Job DescriptionTitle: Senior Security Engineer
Team: Engineering
Location: Remote-Friendly
About the Role:We're looking for a Senior Security Engineer tolead application security efforts across our product portfolio, spanning webapplications, APIs, mobile, embedded software, and shipped productdeliverables. You'll be embedded in the engineering organization,partnering with product and platform teams to bake security into every phaseof the software development lifecycle, not bolt it on at the end.
A critical part of this role is developingand maintaining a deep understanding ofour product attack surface, how components interact, what'sexposed, and where real risk lives. That understanding is what transformssecurity tooling output into prioritized, meaningful action across threatmodeling, vulnerability management, and supply chain risk.
This is a high-impact role for someone who is equallycomfortable reading source code, threat modeling a newmicroservice, and coaching a developer through a secure code review.
What You'll DoApplication Security & Secure SDLC- Ownand evolve the AppSec program across the entire SDLC - from design reviewsto post-deployment monitoring - for web, API, mobile, and shipped productdeliverables
- Buildand maintain a living model of the product attack surface -mapping trust boundaries, data flows, exposed interfaces, and high-valuetargets - and use it to drive prioritization across all securityworkstreams
- Conductthreat modeling and architecture security reviews for new features,services, and product releases across all delivery channels
- Performmanual and automated secure code reviews across multiple languages(e.g. Python, Go, TypeScript, C/C++)
- Integrateand tune SAST, DAST, and SCA tooling within CI/CD pipelines (GitHubActions, Jenkins, or equivalent)
- Triageand drive remediation of vulnerabilities surfaced through scanning, bugbounty, and pen tests
- Developand maintain a library of security standards, patterns, andguardrails applicable across product types
Third-Party & Supply Chain Security - Ownthe Software Bill of Materials (SBOM) program - define generation,storage, and consumption processes across all product lines
- Establishand maintain policies for evaluating, onboarding, andcontinuously monitoring third-party dependencies and open-sourcecomponents
- Triageand prioritize CVEs and license risks surfaced through SCA tooling,driving timely remediation with engineering teams
- Defineprocesses for responding to upstream supply chain incidents(e.g. compromised packages, malicious dependencies)
- Collaboratewith procurement and legal to assess security risk of third-party vendorsand integrations
- Contributeto industry frameworks and internal standards around software supply chainsecurity (SLSA, NIST SSDF, or equivalent)
- Actas a trusted security advisor embedded within product engineeringsquads
- Leadsecurity training, lunch-and-learns, and developer educationinitiatives
- Collaboratewith the Platform team on secrets management, identity, and accesscontrols
- Workwith the GRC function to translate compliance requirements (SOC 2, ISO27001) into engineering controls
Incident & Vulnerability Management - Participatein the security on-call rotation and lead security incident responseinvestigations
- Driveroot cause analysis and communicate findings clearly to engineeringleadership
- Buildand maintain metrics and dashboards to track the health of theAppSec program
- Participateas a member of theCybersecurity council, representing development in theorganization. Report weekly on new threat intelligence as it relatesto product security, and any actions that are being taken to remediate newfindings.
What We're Looking ForØRequired
• 5+ years of experience in security engineering, with a strong AppSec focus
• Hands-on experience with threat modeling frameworks (STRIDE, PASTA, or similar)
• Proficiency with common AppSec tooling: Semgrep, Snyk, Burp Suite, OWASP ZAP, or equivalents
• Deep understanding of web application vulnerabilities (OWASP Top 10, API security, auth/authz flaws)
• Ability to read and reason about code in at least two languages; prior development experience a plus
• Experience with software supply chain security - SBOM generation and analysis (CycloneDX, SPDX), SCA tooling, and dependency risk management
• Strong written and verbal communication skills - you can explain risk to both engineers and executives
ØPreferred
• Experience with cloud-native environments (AWS, GCP, or Azure) and container/Kubernetes security
• Familiarity with software supply chain frameworks such as SLSA, NIST SSDF, or OpenSSF Scorecards
• Contributions to open-source security tooling or security research
• Relevant certifications: OSCP, CSSLP, GWEB, or similar
We recognize that candidates bring diverse experiences and backgrounds. If you don't meet every requirement, we still encourage you to apply! Many strong candidates don't check every box. We value potential, growth, and impact as much as experience.
Who You Are• Experienced security professional with a strong background in application security and secure software development.
• Skilled at threat modeling, secure code reviews, and identifying real-world risks across complex systems.
• Knowledgeable in web, API, mobile, and software supply chain security best practices.
• Comfortable working with developers to embed security throughout the SDLC.
• Proficient with security testing and vulnerability management tools, including SAST, DAST, and SCA solutions.
• Strong communicator who can translate technical risks into actionable recommendations.
• Collaborative, proactive, and driven to improve both product security and engineering security culture.
• Passionate about continuous learning, emerging threats, and helping teams build secure products at scale.
AI Expectations•
Integrate AI into daily work - leverage AI tools to enhance efficiency, elevate quality, and support smarter, faster decision-making.
•
Apply critical human judgment to AI output - review, validate, and take full accountability for AI-assisted work, ensuring accuracy and reliability.
•
Continuously improve through AI - proactively identify opportunities to optimize processes, rethink workflows, and challenge existing approaches rather than maintaining the status quo.
•
Use AI responsibly and ethically - safeguard sensitive information, adhere to company guidelines, and actively identify risks such as bias, inaccuracies, or misuse.